Category: Links to documents

2018 Ontario Provincial Election to use vote counting computers

The 2018 Ontario Provincial Election taking place on June 7, 2018 will for the first time use vote counting computers province-wide.  This replaces hand-counting of ballots.

The computer vote tabulators use optical scan technology to read hand-marked paper ballots.

This is the least-worst use of computer technology for vote counting as the hand-marked ballots are still available to be counted.  However, these are still computers that have to be programmed, which means there is always the potential for errors or malicious code.

Key Questions

Fundamentally in elections, you don’t trust anyone.  That means you don’t trust the computer vote tabulator either.  Use of computer vote tabulators introduces the following key questions:

  • Will there be a public hand-counted risk-limiting audit following every election, to test the computer count?
  • In the case of a recount, will the ballots be hand-counted under judicial supervision, or will the ballots be run through the computer vote tabulators again?  (It appears that the legislation requires a hand count of the recounts to use a manual hand-count of the paper ballots.)

The new voting procedures were launched with a May 9, 2018 press release (PDF) and accompanying media event.

Elections Ontario is modernizing the voting process and putting the needs of electors first by introducing technology in the polls. Election officials will be using electronic poll books (e -Poll books) and vote tabulators across the province for advance voting. On election day, 50% of the polls will have vote tabulators and e-Poll books … serving 90% of electors.

There was a Canadian Press story by Liam Casey, see e.g. CBC News – Ontario to use electronic voting machines for first time in spring election – May 9, 2018.

The tabulator is a Dominion Voting ImageCast® Precinct computer optical scan vote tabulator.

The history is buried in the post-event reports for two byelections that tested the technology:

It is very clear from the Proposal that the key issue is staffing; the technology is being introduced to address poll staffing issues.

Additional Questions and Considerations

Disclaimer: I am not a lawyer.

Additional questions raised by the use of computer vote counting equipment:

  • Are there provisions for erasing the digital copies of the ballots stored by the vote counting equipment? (I see no procedures described in law. Organisations often do not consider the security implications of digital copies of scans, see e.g. CBS News – Digital Photocopiers Loaded With Secrets – April 19, 2010.)
  • What are the security implications, in particular the chain-of-custody implications, of sharing computer vote counting equipment with other jurisdictions (e.g. Ontario municipalities)?  Doesn’t the risk of computer code alteration increase with each new jurisdiction that has access to the machine?
  • What are the procedures for transmitting the results of the computer count to Elections Ontario?  Is the count based on printouts from the vote tabulators, the vote tabulator memory cards, or transmission over a network?  What are the security implications of permitting the computer vote counting equipment to be connected to a network in order to transmit the count?  See e.g. Freedom to Tinker – Are voting-machine modems truly divorced from the Internet? – February 22, 2018.
  • What are the procedures for handling the vote tabulator memory cards?

In the March 22, 2018 Guelph Mercury article Ontario’s voting system secure, chief election official says the following statement is made by the Chief Electoral Officer:

“The Ontario government has hired a cybersecurity team to assist any of the ministries with private security — and we’ve been working with that team over the last year, year and a half, and they’ve been working with all of our systems,” he said.

“They’ve been doing penetration testing, vulnerability testing … to ensure that our systems are up-to-date and secure. There have been some slight alterations based on their recommendations, and we are very confident and we take security very, very seriously.

“I want to make sure that all the systems and all the personal information that we have is protected.”

  • Will these tests be made available to the public?  Including both the test procedures and the results?
  • Why doesn’t the Ontario Election Act section 4.5 (3) 3. include independent security and integrity testing for computer vote tabulators, in addition to logic and accuracy testing, as is required for accessible voting equipment in 44.1 (5)?
  • Will the independent security and integrity reports required by 44.1 (5) be made available to the public?
  • Will the machines be made available for independent expert testing, by Canadian academics who are computer security experts?
  • Will the machines be made available for independent expert testing by hackers, e.g. in DefCon Voting Village or at e.g. Canadian Hackfest?
  • As the computer vote tabulators stack ballots in sequence in a bin, in theory it is possible to de-anonymise the votes by carefully tracking voters as they cast ballots.  Is there any provision for randomising the stacked ballots in order to prevent this potential risk?

For more about what it means to change from public hand-counted ballots to ballots counted by a computer from a private for-profit company, see computer vote counting is a radically different trust model.

Governing Legislation

The governing law is the Ontario Election Act, R.S.O. 1990, c. E.6

The relevant sections, modified in 2016 (Election Statute Law Amendment Act, 2016, S.O. 2016, c. 33 – Bill 45) and in force as of January 1, 2017 are:

  • Authority to share equipment and resources – 4.0.3 (1) The Chief Electoral Officer may make equipment, advice, staff, or other resources available to other electoral authorities in Canada.
  • Use of vote counting equipment – 4.5 (1) The Chief Electoral Officer may issue a direction requiring the use of vote counting equipment during an election and modifying the voting process established by this Act to permit the use of the equipment.

Next section blockquoted due to complexity:

Restrictions re equipment

4.5 (3) The following restrictions apply with respect to the use of vote counting equipment:

1. The equipment must not be part of or connected to an electronic network, except that the equipment may be securely connected to a network after the polls close, for the purpose of transmitting information to the Chief Electoral Officer.

2. The equipment must be tested,

i. before the first elector uses the equipment to vote, and
ii. after the last elector uses the equipment to vote.

3. For the purpose of paragraph 2, testing includes, without limitation, logic and accuracy testing.

4. The equipment must not be used in a way that en­ables the choice of an elector to be made known to an election official or scrutineer.

  • Recount conducted manually – 74.1 A recount that is made from the actual ballots shall be conducted manually, even if the original count was done by vote counting equipment. 2010, c. 7, s. 31.

The only section that speaks about voting equipment security appears to apply solely to section 44.1 Accessible voting equipment

Accessible voting equipment, etc.

44.1 (1) At an election, accessible voting equipment and related vote counting equipment shall be made available in accordance with this section and in accordance with the Chief Electoral Officer’s direction under subsection (2). 2010, c. 7, s. 24 (1).

Condition

(5) Despite subsection (1), accessible voting equipment and related vote counting equipment shall not be made available unless an entity that the Chief Electoral Officer considers to be an established independent authority on the subject of voting equipment and vote counting equipment has certified that the equipment meets acceptable security and integrity standards. 2010, c. 7, s. 24 (1).

There is no analogous section under 4.5 vote counting equipment.  Disclaimer: I am not a lawyer.

2018 Ontario Provincial Election will not use Internet Voting

Following is verbatim from Elections Ontario Proposal for a technology-enabled staffing model for Ontario Provincial Elections (PDF), page 10 “Why are we not proposing internet voting?”, published sometime in 2016 or 2017.  (Also available from the Legislative Assembly of Ontario Library.)

Recognizing that many of the societal changes we have discussed have been possible because of the evolution of the internet, the questions often posed is: why, when other jurisdictions (such as Ontario municipalities) are moving toward internet voting, is Elections Ontario not exploring or proposing an internet voting solution?

Elections Ontario explored the possibility of internet voting in a comprehensive research study conducted between 2010 and 2012. Recommendations and the full analysis of the study can be found in the Alternative Voting Technologies Report available on our website. In the report Elections Ontario provides implementation criteria for networked voting, and outlines the current barriers to those criteria being met. To date, Elections Ontario has not found a networked voting solution that would protect the integrity of the electoral process.

Because of the requirement for a paper ballot, for the purposes of this pilot project the introduction of internet voting does not address our primary concern: reducing staffing requirements for a General Election. To reduce the staffing requirements for a General Election a solution that maintained a paper ballot while automating processes at the voting location was required. Internet voting may provide another channel for electors to use in the future; however, it would not itself reduce the required staff at voting locations.

Internet voting is often considered in the context of increasing voter turnout. As mentioned in the Alternative Voting Technologies Report there is no conclusive evidence that internet voting will have a positive impact on turnout. More recently, the Internet Voting Project published a report[1] on the 2014 Ontario Municipal Elections that supports this assessment that there is not a correlation between internet voting and increased turnout.

[1] Internet voting project report: results from the 2014 Ontario Municipal Elections.  [Editor’s note: It’s not completely clear which report they are referring to, but probably Internet Voting Project Report August 2016 which states on page 65 “despite comments about observed improvements in turnout, this study, and other research, clearly indicates that Internet voting is not the magic bullet solution to improve voter participation or to engage young people”.]

The Alternative Voting Technologies Report mentioned is available in two parts:

I have also written extensively about the Elections Ontario Alternative Voting Technologies Report in blog post Province of Ontario Internet voting.

Bill C-76 Elections Modernization Act – changes implicating electronic voting

April 30, 2018 – 42nd Parliament, 1st Session – Bill C-76 Elections Modernization Act

The proposed changes to section 18.1:

  • a specific section 18.1(3) providing that the Chief Electoral Officer “shall develop, obtain or adapt voting technology for use by electors with a disability, and may test the technology for future use in an election”
  • in 18.1(4) the removal of the requirement that using electronic voting (“voting technology”) require the approval of the full Senate and House of Commons

It’s a bit unclear what the difference is between 18.1(2) “alternative voting process” and 18.1(3) “voting technology”.  Can an alternative voting process include new technology?  I have to assume so, particularly given how it is framed in the Chief Electoral Officer’s recommendations.  (There is no definition provided in the bill for “alternative voting process”).

In An Electoral Framework for the 21st Century: Recommendations from the Chief Electoral Officer of Canada Following the 42nd General Election, Table A—Recommendations Discussed in Chapters 1 and 2, A15. 18.1 it says “The distinction between the approval requirement for testing an electronic voting process and any other alternative voting process should be removed”.

Proposed Changes

2014, c. 12, s. 8
15 Sections 18.‍01 and 18.‍1 of the Act are replaced by the following:
International cooperation
18.‍01 The Chief Electoral Officer may provide assistance and cooperation in electoral matters to electoral agencies in other countries or to international organizations.
Voting studies
18.‍1 (1) The Chief Electoral Officer may carry out studies on voting, including studies respecting alternative voting means.
Alternative voting
(2) The Chief Electoral Officer may devise and test an alternative voting process for future use in an election.
Voting technology — electors with a disability
(3) The Chief Electoral Officer shall develop, obtain or adapt voting technology for use by electors with a disability, and may test the technology for future use in an election.
Prior approval
(4) Neither an alternative voting process nor voting technology tested under subsection (2) or (3) may be used in an election without the prior approval of the committees of the Senate and of the House of Commons that normally consider electoral matters.

Existing Text

Clause 15: Existing text of sections 18.‍01 and 18.‍1:
18.‍01 The Chief Electoral Officer may, at the Governor in Council’s request, provide assistance and cooperation in electoral matters to electoral agencies in other countries or to international organizations.
18.‍1 The Chief Electoral Officer may carry out studies on voting, including studies respecting alternative voting processes, and may devise and test an alternative voting process for future use in a general election or a by-election. Such a process may not be used for an official vote without the prior approval of the committees of the Senate and of the House of Commons that normally consider electoral matters or, in the case of an alternative electronic voting process, without the prior approval of the Senate and the House of Commons.

San Francisco Internet voting

By a unanimous 6-0 vote, on April 19, 2017 the San Francisco Elections Commission recommended against Internet voting at all levels of government:

RESOLVED, That it be the policy of the Elections Commission to oppose allowing votes in United States local, state, and federal elections to be cast over the internet, including by email.

See San Francisco Elections Commission – Resolution on Internet Voting (PDF)

Canadian reports on election security and misinformation

Government of Canada

Academia

Finland recommends against Internet voting

Finland did an extensive study in 2017, running from February to November, and reported its final results in December.

The report concluded that the risks of online voting outweigh its benefits.

The original government web page has been replaced by a new page: Nettiäänestyksen esiselvitys. Documents are in section Asiakirjat (“Documentation”).
SIDEBAR: The last archive of the previous Nettiäänestys page is from June 16, 2017. END SIDEBAR

Press releases

Reports

Key Statements

Online voting technology and the development of the structures required for the system are not yet at a level that would enable a sufficiently secure implementation and introduction of the system. There are still open questions in terms of verifiability and the secrecy of the ballot. It is not expected that the key risks related to online voting would be solved in the next few years.
The monitoring group came into the conclusion that online voting should not be introduced in general elections, because the risks involved are greater than the benefits. Online voting would not resolve the current problems, such as the low voter turnout.

Previously:
March 14, 2017  Internet voting in Finland

PEI 2016 Plebiscite Voting Integrity Audit Report recommends against federal and provincial Internet voting

Prince Edward Island (PEI) – 2016 Plebiscite on Democratic Renewal – Voting Integrity Audit Report – from the Independent Technical Panel on Voting Integrity (ITPVI) – November 30, 2016

This report is Section 3 Appendix in the 2016 Annual Report of the Chief Electoral Officer of PEI  (PDF), starting on page 35.

Section 11 of the Voting Integrity Audit Report is Considerations for Applying E-Voting Options [Internet voting] in Canadian Public Elections.

The report recommends against Internet voting at the federal and provincial levels, except for absentee voters.

There is a need to maintain an acute level of awareness of the risks to electoral integrity that these new voting methods present. The implications of a breach of the public trust that exists today suggests strongly that internet and telephone voting in Canadian provincial and federal parliamentary elections be considered channels that should be limited to use only by absentee voters for the immediate foreseeable future. …

It is important that leaders in Canadian electoral administration manage public expectations and articulate their concerns about the fact that a perfectly secure and fool-proof electronic voting system does not yet exist.

This recommendation was picked up in the news media, e.g. CBC News PEI – Online voting not ready for federal, provincial election: officials – May 4, 2017.

The group concluded a high-stakes provincial or federal election could attract groups looking to intervene in illicit ways through cyber-attacks, hacking or other means.

The report also does an excellent job of showing the “additional risks and controls associated with online electronic voting” [Internet voting]. These include (highlighting by me):

1. Trusted digital voter identification and authentication is a requisite additional control. An irrefutable digital identity is the first safeguard in ensuring that eligible voters can vote (and can vote only once), and in ensuring that ineligible voters are not permitted to vote. Establishing this identity with a robust ‘shared secret’ is a mandatory prerequisite.

2. The onus is on the buyers, designers, developers, maintainers and operators of any electronic voting system to demonstrate rigor in the specifications, certifications, accreditations, testing and operation of the e-voting system to ensure it is able to mitigate the full range of risks to a reasonable and acceptable level. This has to be achieved to a level of satisfaction regarding both hardware and software risk mitigation. The remaining level of risk needs to be accepted by all stakeholders.

3. With the elimination of the controls that were previously implemented in manually controlled voting processes (refer Appendix ‘G’: Controls C1 – C5), traditional risks are not as fully mitigated as before. In fact, the following risks are difficult to mitigate in any meaningful way:
a. Vote buying / vote secrecy (“I’ll just take a selfie in front of my screen”)
b. Voter coercion (Unless reported, it is impossible to determine if a vote is being coerced)

4. The risk of a voter voting with stolen credentials can only be partially mitigated by effective voters list management and the implementation of a trusted digital voter identification and authentication scheme. Digital voter identification must be robust, but it must also be easily managed so as not to become a barrier to voting because it is overly complex for a voter to use as seldom as once every four years.

5. The additional risks of compromised end-user hardware or software, or a broad regional or national attack on internet infrastructure, remain unmitigated.

The report also identifies the extremely high standard to which we must hold Internet voting, as the transparency provided by conducting paper ballot voting and counting in public are lost when using completely computerized processes.  Highlighting added by me.

The onus is also completely on the online electronic voting system implementer to ensure that controls are established within the e-voting system that meet the legislative requirements of the jurisdiction, and provide an adequate level of transparency for all stakeholders. Simply depositing electronic votes into a ‘black-box’ where they are stored and counted is unlikely to meet stakeholder demands for maintaining a high level of public confidence, unlikely to publicly show that voting risks are continuing to be
managed responsibly, and unlikely to prove to candidates and political parties that the electoral process and controls continue to deliver a trusted and accurate result.

SIDEBAR on turnout:
A demonstration of the reality of Internet voting turnout was the 2016 Prince Edward Island Plebiscite on Democratic Renewal which had 10 days of online voting in addition to two days of in-person voting. Not only was the overall turnout low at 36.5%, but the turnout for ages 18-24 was the lowest of any age range, at 25.47%.

Numbers from McLeod, G. B. (2016, November 9). Interim Report of the Chief Electoral Officer for the 2016 Plebiscite on Democratic Renewal. http://www.gov.pe.ca/photos/original/elec_demrefpleb.pdf
END SIDEBAR