Category: Links to video

Considering online voting including Estonia

There are three fundamental challenges with public discussions about online voting:

  • The majority of computer scientists, particularly computer scientists with expertise in voting systems, recommend again online voting, but journalistic false balance often presents this as one computer scientist vs. one online voting advocate.
  • The dedicated resources available from nations and vendors to promote online voting vastly outweigh the nondedicated volunteer resources available from computer security experts to explain the issues with online voting.
  • Voting appears simple but is actually complex, with many essential requirements that are hard to capture in a soundbite.  This makes it easier to make a convincing-sounding but incorrect “common sense” convenience argument for online voting than to make the correct technical requirements counter-argument.

Consensus Opinion

Basically if the press were actually representative about this “debate”, it would be like John Oliver’s classic expert-weighted debate, with 97 experts on one side and 3 sceptics on the other.  So any time you see an online voting “debate” on TV or in print, I want you to imagine 97 expert computer scientists recommending against online voting, and 3 promoters with various agendas advocating for it.

I don’t have the ability to construct that kind of visual, but just to make it clear, what I am writing recommending against online voting is not just one voice, and it’s not just 16 leading computer security experts, it’s the overwhelming consensus view. It’s the view in the computer scientist community.  In 2004 the Association for Computing Machinery, the world’s largest scientific and educational  computing society (with a membership now of approximately 100,000) issued a Statement on Voting Systems, which includes the following text

voting systems should enable each voter to inspect a physical (e.g., paper) record to verify that his or her vote has been accurately cast and to serve as an independent check on the result produced and stored by the system.

It’s this consensus view that is summarized by the City of Toronto

The overwhelming consensus among computer security experts is that Internet voting is fundamentally insecure and cannot be safely implemented because of security vulnerabilities inherent in the architecture and organization of both the Internet and commonly used software/hardware

And if you wish there were some process to assemble a scientifically representative consensus into a document, well, I have good news.  The US National Academies of Sciences, Engineering and Medicine (NASEM) knows exactly how to run a process to report on expert consensus, and they did.  Their report recommends against Internet voting.

Secure Internet voting will likely not be feasible in the near future.

So to be blunt, if you’re in favour of online voting, you’re against the scientific consensus.  You’re also against the conclusion of 99.5% of the countries in the world.

National Online Voting Only In One Country

There are approximately 200 countries in the world.  Of those, the number of countries that offer online voting for all citizens in all elections is one.  One country of approximately 1.3 million citizens, where the total number of votes cast in each election is roughly 600,000.  Where the majority of voters still cast their votes on paper, on election day.

One country where offering online voting is part of branding the nation as e-Estonia, including consistent promotion.  Does your country invest in promoting its election system internationally?  Maybe that’s why there aren’t many international news stories about your country’s voting system, but there are lots about Estonia’s.

Computer security experts simply don’t have the scale and reach that a national public relations initiative has.

It takes months of dedicated journalism to do a comprehensive story about the issues with online voting.  Which, fortunately Eric Geller did: Online voting is a cybersecurity nightmare.

Unfortunately, the reality of deadlines, lack of expertise in computer security and lack of expertise in the actual requirements for voting systems means that most articles don’t go into the same depth.

As a result, reporting on Estonia’s online voting tends to be relentlessly positive.

But in article after article there are also a number of things that don’t get said about Estonian elections, including:

  • turnout declined in the last national election, in the last two local elections, and in the 2014 European Parliamentary election
  • turnout in the 2015 Estonian national election was lower than turnout in Canada and the UK

Estonia national turnout 2015

  • the smallest number of votes cast is by the 18-24 year old age group
  • online voting is offered for advance voting only, and requires a national digital identification infrastructure
  • Although Estonia has observing, auditing and testing procedures, the only time international computer security experts were invited to observe the process was in 2014.  Those outside observers found “There were staggering gaps in procedural and operational security, and the architecture of the system leaves it open to cyberattacks from foreign powers”. Since that report, international computer security experts have not been invited back.

You can read about the 2014 study in Practical Attacks on Real-world E-voting, 7.3.2 Estonia’s Internet Voting System. Or you can watch J. Alex Halderman explain it

SIDEBAR: The 2016 study by the Cyber Studies Programme at the Department of Politics and International Relations, University of Oxford.

The University of Oxford conducted a study of Estonia’s Internet voting in 2016, entitled The Estonian Internet Voting System – An Independent Assessment of the Procedural Components.

It’s important to note the “procedural components” part of the description.  The study (PDF) states specifically:

We review the general procedural security components of the system, particularly procedural security controls, …. We therefore do not focus on software engineering or encryption related issues in the computer systems.

Additionally, this study was based on reported procedures, not direct observation.

Finally, we must state that there is one main limitation to our work. This relates to the fact that our research relies on interview reports on voting processes and systems from individuals in Estonia, as opposed to direct observation of the I-Voting system in process.

The 2016 Oxford study is therefore not comparable in either scope or methods to the direct observations of the international experts in the 2014 Independent Report on E-voting in Estonia.

END SIDEBAR

All Countries That Study Online Voting Reject It

At a national level, Internet voting has been studied by the Parliament of Australia, by a Canadian Parliamentary Committee, and by Finland.  Each study recommended against online voting.

Lithuania was considering online voting, but as best I can conclude through a layer of Google translation, has rejected it on national security grounds.

“Interior Minister Eimutis Misiūnas is still skeptical about online voting, according to him, until there is an absolute guarantee of security, elections must take place in a traditional way.”

LRT.lt – E. Misiūnas dėl balsavimo internetu – kol kas skeptiškas (March 1, 2018)

Rytis Rainys, Director of the National Cyber ​​Security Center, is not sure about the security of online voting.
“Fears about cyber security are one of the main reasons why this process stops,” he said. – These fears are not only justified but also based on facts, mass incidents that we have in Lithuania.”

LRT.lt – Internetu balsuojanti estė: tai nepalanku kai kurioms partijoms (February 28, 2019)

Online Voting And National Security

When Deloitte studied cybersecurity as it relates to elections for Australia, they found

The main concern is not the actual damage that cyber attacks can cause to individual electoral system components, although it exposes the individual jurisdiction to significant reputational damage. The bigger concern is that any reports of attempted or successful breaches gives adversaries the ability to sow doubt in the security and integrity of electoral processes.

Australia – Electoral Cyber Security Maturity Review: Whole of Nation Report (Deloitte Touche Tohmatsu report CN3550609 for the Department of Home Affairs – October 2018 – redacted)

So it’s not just that an online election can and will be attacked, it’s that the obscurity and lack of transparency of an online election opens it up to the opportunity of undermining trust in elections as a whole.

These are real threats.  Canada’s Centre for Cyber Security says

In 2018, half of all advanced democracies holding national elections had their democratic process targeted by cyber threat activity. This represents about a three-fold increase since 2015 and we expect the upward trend to continue in 2019.

2019 Update: Cyber Threats to Canada’s Democratic Process – Executive Summary

Online Voting Fails In Independent Testing

But even if you’re not convinced by the fact that the majority of computer scientists, and the majority of nations, and national security advisors are all against online voting, what about a real-world independent test?

Well, Switzerland fortunately has a legal framework in place that requires independent testing of proposed online voting solutions.

And when their online voting was independently examined (outside of the restrictions they had placed on the testing), it was found to be insecure. So they have withdrawn it.

Online Voting Fails When Deployed

Online municipal voting in Ontario failed in 2010 and again in 2018.

Home Computers Are Insecure

And remember you don’t just have to be concerned that the online voting code itself is insecure, people vote from their home computers, over the Internet to centralised servers.  Elections agencies have no control over the security of home computers and the Internet, and they have no control over when major security flaws will be discovered and patches will be released.  Such as for example the week of May 13th, 2019, when there was:

In fact, the US Computer Emergency Readiness Team (US-CERT) listed 99 (yes, ninety-nine) high-severity computer security vulnerabilities just for the week of May 13, 2019 alone.  And all of those computer security vulnerabilities, some of which will take weeks or months for consumers and organisations to patch (if ever), they all took place in the same week that Estonia opened its online voting on May 16th.  So you can be guaranteed that people were voting from insecure computers.

Vendors Control Most Internet Voting

And in addition to all of those factors, the reality in Canada and most other countries is that elections technology is created by third-party, for-profit vendors who shield their code and processes from inspection using intellectual property law.  This means elections are effectively outsourced to opaque third-party organisations.  I’ve written about this in the context of Ontario’s computer vote counting, and I would add that Ontario specifically stated their need to work closely with vendors

Throughout the planning phase, we worked closely with our vendors to establish accurate requirements, conduct necessary testing, determine support, and ensure the integrity of the election was never compromised. We were able to integrate vendors into the design and administration of the election, and we look forward to a strong working relationship with our vendors into the future.

Elections Ontario – Modernizing Ontario’s Electoral Process: Report on Ontario’s 42nd General Election June 7, 2018 – Section 2: Planning a Transformative Election, B. Building the Team, Vendors

Tell me, if you wanted to increase the connection that the public feels with its election system, if you wanted to bridge the gap between the public and its democratic system, would your first choice be less involvement of the public?  Because “integrating vendors” means removing the public from the inner workings of the election system itself.

And if you think at least the vendors must be experts in computer security, their record is abysmal.  In the 2007 Ohio EVEREST study, independent researchers found

“exploitable security weaknesses in all three vendors’ systems”

Ohio EVEREST Voting StudyStatement

Conclusion

With all that to consider, if you only have one takeaway from this entire blog post it is this:

you must demand public, independent, expert testing without restrictions before you place your confidence in online voting

Such testing has not taken place for the online voting in Ontario and Nova Scotia municipal elections.

There are too many other problems with online voting for me to summarize in what is already a long blog post, so I will conclude with two previous summaries I have done:

video – An Uninvited Security Audit of the U.S. Presidential Election

Computer security researchers J. Alex Halderman and Matt Bernhard report on US voting computer security and the attempts to conduct comprehensive audits of the 2016 election results (recounts) in Wisconsin, Michigan and Pennsylvania.

Video also available (including for download) at https://media.ccc.de/v/33c3-8074-recount_2016_an_uninvited_security_audit_of_the_u_s_presidential_election#video

Halderman and Bernhard were presenting at the hacker conference Chaos Communication Conference (CCC) on December 28, 2016.

The slides may become available on the presentation page https://fahrplan.events.ccc.de/congress/2016/Fahrplan/events/8074.html

Matt Bernhard tweets @umbernhard

You can find more about J. Alex Halderman in my list of computer security experts https://papervotecanada2.wordpress.com/2016/11/19/internet-voting-and-computer-security-expertise/#JAlexHalderman

MyDemocracy and online voting in Canada

The Government of Canada consultation website MyDemocracy.ca has launched.  This was an opportunity to inform every Canadian household about electoral reform issues, including online voting.

On the site at the very bottom right, you can click to “Learn More”.

MyDemocracy Learn More

Summary: You will not get a comprehensive briefing about online voting from the government no matter how far down the trail of links you go.

My Briefing about Online Voting

Here’s what you could have gotten:

You also could have gotten

  • An completely separate briefing about the use of electronic voting technologies at polling places, along with the many risks, and an explanation that from an implementation standpoint, there is no connection whatsoever between implementing polling place technologies and remote online voting

Details of the Government’s Online Voting Information

Here’s what you will actually get.

Clicking Learn More will take you to https://www.canada.ca/en/democratic-institutions/services/democracy-canada.html

And here’s what that page, entitled Democracy in Canada, has to say about online voting, under How you vote – How you cast your ballot

Today, most of us vote in person by pencil and paper, either on election day itself or in the advance polls in the days beforehand. Many people also use special ballots, which are mailed in or cast at your local Elections Canada office. Introducing new technologies at the polls could pave the way for online voting in the future.

Aujourd’hui, la plupart d’entre nous votent en personne en utilisant un crayon et du papier, soit le jour même des élections, soit dans les bureaux de scrutin par anticipation dans les jours qui précèdent. De nombreuses personnes utilisent aussi des bulletins de vote spéciaux, qui sont envoyés par la poste ou déposés à votre bureau local d’Élections Canada. La mise en place de nouvelles technologies dans les bureaux de scrutin pourrait ouvrir la voie au vote en ligne dans les années à venir.

Where does this assertion that “new technologies” (electronic voting) could lead to online voting come from? What evidence supports it?

Where is the discussion paper / issues paper / briefing about online voting?  Why are we discussing electronic voting in polling places at all?

If, by some miracle, you scroll all the way to the bottom of the Democracy in Canada page, you will find two more resources, one from Samara about different types of voting systems that provides no additional information about online and electronic voting, and one from the Library of Parliament.

For more information about Canada's current electoral system

Clicking the Library of Parliament link will take you to http://www.lop.parl.gc.ca/Content/LOP/ResearchPublications/2016-06-e.html?cat=government

Ok, maybe now we have a briefing about online voting, providing evidence from various fields of expertise including computer science, and weighing risks and benefits.

Well no, we don’t.  Somehow you navigate your way through the table of contents or through the long text to section 6.2 Online Voting

Library of Parliament Online Voting

And if you make it there, you will get, not one page, not 9 pages, not 16 pages, but four paragraphs. With no computer science experts cited.  As I documented in June 2016 in my analysis Online voting section of Background Paper 2016-06-E on Electoral Systems.

I will again express my profound disappointment in the failure of the government to provide an adequate, evidence-based briefing to inform consideration of online voting, particularly given the fact that they had an opportunity to provide information to all Canadians.  And to emphasize my concerns that in addition we are also having a discussion about electronic voting with, extraordinarily, no information or context whatsoever (not even a definition of what electronic voting is, or what technologies we may be considering).

Hashtag for the MyDemocracy consultation isn’t clear.  Presumably #EngagedInER ?  The most common one being used at the moment is #MyDemocracy

For more information about the consideration of electronic voting technologies in polling places, please keep an eye on the future Chief Electoral Officer, Elections Canada, and discussions at PROC, as well as the Ministry of Democratic Institutions.

Aleksander Essex presents about Internet voting security to Toronto Exec Committee

Researcher Aleksander Essex presented to the December 1, 2016 Toronto Executive Committee meeting that was considering a report recommending against Internet voting. You can see Aleksander’s presentation from 9:38 to 13:56 in the meeting video below.

He states “an overwhelming number of cybersecurity experts view Internet voting as one of the most challenging open problems in security, for a great many reasons”.

For more information about the 2016 Toronto report that was being discussed, see Toronto Internet voting.

Dr. Essex was co-author of the 2014 Toronto RFP report Internet Voting for Persons with Disabilities – Security Assessment of Vendor Proposals (PDF).

For more about Aleksander Essex see my list of computer science experts

https://papervotecanada2.wordpress.com/2016/11/19/internet-voting-and-computer-security-expertise/#AleksanderEssex