Category: Security

Securing the Vote – US National Academies 2018 consensus report

The US National Academies of Sciences, Engineering and Medicine (NASEM) uses a comprehensive study process http://www.nationalacademies.org/studyprocess/ to ensure high standards of scientific and technical quality.

On September 6, 2018 they released their 2018 consensus report

Securing the Vote: Protecting American Democracy

The report is available to download as a PDF (login isn’t required, you can download as a guest) and is also posted to read online.  (See blog note 1 for the definition of a consensus report.)

The key conclusions highlighted in the introduction to the release are:

All U.S. Elections Should Use Paper Ballots by 2020 …; Internet Voting Should Not Be Used at This Time

Emphasis (bolding) above mine.

Ensuring the Integrity of Elections

Chapter 5: Ensuring the Integrity of Elections contains many sections relevant to voting technology.  Below are selected extracts only; please read the entire chapter for the full details.

Malware (pp. 86-87)

Malware can be introduced at any point in the electronic path of a vote—from the software behind the vote-casting interface to the software tabulating votes—to prevent a voter’s vote from being recorded as intended.

Maintaining Voter Anonymity (pp. 87-88)

With remote voting—voting outside of publicly monitored poll sites—it may not be difficult to compromise voter privacy. When voting, for example, by mail, fax, or via the Internet, individuals can be coerced or paid to vote for particular candidates outside the oversight of election administrators.

Election Cybersecurity

Election Cybersecurity (pp. 88-93)

Vulnerabilities arise because of the complexity of modern information technology (IT) systems and human fallibility in making judgments about what actions are safe or unsafe from a cybersecurity perspective. Moreover, cybersecurity is a never-ending challenge. It is unlikely that permanent protections against cyber threats will be developed in the near future given that cybersecurity threats evolve and that adversaries continually adopt new techniques to compromise systems or overcome defenses.

Election Cybersecurity: Cybersecurity and Vote Tabulation (p. 91)

Because there is no realistic mechanism to fully secure vote casting and tabulation computer systems from cyber threats, one must adopt methods that can assure the accuracy of the election outcome without relying on the hardware and software used to conduct the election. Uniform adoption of auditing best practices does not prevent tampering with the results collected and tabulated by computers. It can allow such tampering to be detected and often corrected.

I would clarify that it can only allow such tampering to be detected if there are paper ballots to audit.

Election Cybersecurity: Factors that Exacerbate Cybersecurity Concerns (p. 92)

Changing threat. Traditionally, the goal has been to secure against election fraud by corrupt candidates or their supporters who may attempt to favor a particular candidate by altering or destroying votes or tampering with the vote tally. The 2016 election vividly illustrated that hostile state actors can also pose a threat. These actors often possess more sophisticated capabilities and can apply greater resources to the conduct of such operations. Moreover, they may have other goals than shifting the outcome for a particular candidate.

Specifically they may be seeking to undermine confidence in the election process and systems, which is a different kind of attack than changing an outcome.  Any kind of visible or detectable interference such as defacing websites, Distributed Denial of Service (DDoS), or disclosure of information from within voting systems may achieve the goal of undermining confidence.

Election Cybersecurity: [Consensus] Findings (p. 92-93)

There is no realistic mechanism to fully secure vote casting and tabulation computer systems from cyber threats.

In comparison with other sectors (e.g., banking), the election sector is not following best security practices with regard to cybersecurity.

Even if best practices are applied, systems will not be completely secure.

Foreign state–sponsored attacks present a challenge for even the most responsible and well-resourced jurisdictions. Small, under-resourced jurisdictions are at serious risk.

Better cybersecurity is not a substitute for effective auditing.

I will highlight just one item from the review of End-to-end-verifiability, and I want to make it clear it is a conclusion about voting technology, not about end-to-end verifiability

Complicated and technology-dependent voting systems increase the risk of (and opportunity for) malicious manipulation.

Internet Voting

Internet Voting is covered on pages 101 to 106, including specific examination of Blockchains from pages 103 to 105.  Below are selected extracts only; please read the entire section in the document for the full details.

Internet Voting (pp. 101-106)

Insecure Internet voting is possible now, but the risks currently associated with Internet voting are more significant than the benefits. Secure Internet voting will likely not be feasible in the near future.

Emphasis (bolding) above mine.

Internet Voting: Blockchains (pp. 103-105)

blockchain technology does little to solve the fundamental security issues of elections, and indeed, blockchains introduce additional security vulnerabilities. In particular, if malware on a voter’s device alters a vote before it ever reaches a blockchain, the immutability of the blockchain fails to provide the desired integrity, and the voter may never know of the alteration.

Internet Voting: [Consensus] Findings (p. 106)

The Internet is not currently a suitable medium for the transmission of marked ballots, as Internet-based voting systems in which votes are cast on remote computers or other electronic devices and submitted electronically cannot be made adequately secure today.

The use of blockchains in an election scenario would do little to address the major security requirements of voting, such as voter verifiability. … In the particular case of Internet voting, blockchain methods do not redress the security issues associated with Internet voting.

Internet Voting: Recommendations (p. 106)

5.11 At the present time, the Internet (or any network connected to the Internet) should not be used for the return of marked ballots.35,36 Further, Internet voting should not be used in the future until and unless very robust guarantees of security and verifiability are developed and in place…

35 Inclusive of transmission via email or fax or via phone lines.

36 The Internet is an acceptable medium for the transmission of unmarked ballots to voters so long as voter privacy is maintained and the integrity of the received ballot is protected.

[1] Note: The NASEM defines a consensus report as follows

Consensus Study Report: Consensus Study Reports published by the National Academies of Sciences, Engineering, and Medicine document the evidence-based consensus on the study’s statement of task by an authoring committee of experts. Reports typically include findings, conclusions, and recommendations based on information gathered by the committee and the committee’s deliberations. Each report has been subjected to a rigorous and independent peer-review process and it represents the position of the National Academies on the statement of task.

[2] The report may be cited as e.g.

National Academies of Sciences, Engineering, and Medicine. 2018. Securing the Vote: Protecting American Democracy. Washington, DC: The National Academies Press. doi:10.17226/25120

Ottawa Event – Cyber Attack – Threats to Canadian Democracy

Public Policy Forum event Cyber Attack – Threats to Canadian Democracy
June 6, 2018 at 5pm in Ottawa

As Canada prepares for the 2019 federal election, government institutions, political parties, individual politicians and media are all on the radar of adversaries, ranging in sophistication, from hacktivists to foreign governments. Understanding the potential for attack and what organizations and individuals can do to thwart potential threats is key to ensuring the legitimacy of Canadian elections.

Speakers

The Honourable Karina Gould, Minister of Democratic Institutions

Elisabeth Dubois, Assistant Professor of Communications, University of Ottawa

Jan Neutze, Director of Cybersecurity Policy, Microsoft

Michael Pal, Assistant Professor, Faculty of Law, University of Ottawa
and Director of the Public Law Group

Moderator

Jennifer Robson, Assistant Professor, Political Management, Arthur Kroeger College,
Carleton University

Twitter list of speakers and moderator: https://twitter.com/papervote/lists/ppf-cyberthreats-2018

computer vote counting is a radically different trust model

Computer vote counting is a radically different trust model than a hand-counted election.

Instead of a vote counted in public by known individuals, with observers, you have a third-party for-profit vendor counting the vote in private, with testing by the election authority, but no meaningful observation.

If an elections authority proposed to pay a vendor’s employee to count votes in private, even with a complete background check of the employee, I have the feeling that not many people would go for it.

But in what is essentially the same scenario, except with the employee replaced with a “machine”, people don’t seem to have a problem.

I thought about why this might be the case, and it seems to one primary and one secondary thing.  Primary is the idea that a person has unlimited freedom of action, but a “machine” does not.  Secondary is the confusion that because the vote tabulator itself is in public, somehow the vote count is still “in public”, even though it’s taking place inside the literal black box of the tabulator.

This is I guess a 20th Century collision with 21st Century realities.  If you have an assembly line with a machine that makes pins, if you turn your back, it won’t suddenly decide to secretly make hammers.  Because the vote tabulator looks like some sort of machine, and is described usually as either “electronic” or “machine”, people think it is a single-function device.  But it’s actually a general purpose computer.  Which means that not only does it have a wide range of freedom of action, just like a human being, it can lie to you about what it is doing, just like a human being.

It would be interesting to see a polling station set up with a giant human-sized black box that the ballots go into to be counted, and see how people reacted to that.  Because there really is no difference between that and the computer vote tabulator.  Basically you’ve taken a very limited trust in known people you can watch in public, and changed it to a very extensive trust in unknown vendor employees and in the elections organisation itself operating in private.

If you have a very complicated count and very high expectations of a fast count, then there is some justification in using a vote counting computer, as long as you don’t trust the computer.  You have to audit the paper, not the computer.  You can test the computer as much as you want, it can always lie.  This is exactly what happened in the Volkswagen diesel emissions scandal, where the car’s computer could detect when it was being tested and would change its behaviour accordingly.  So when you use a computer to count paper, you have to audit the paper with a manual count (a risk-limiting audit).  Unfortunately as far as I know, no Canadian jurisdiction follows a computer ballot count with a risk-limiting audit.

In any case, Canadian federal and provincial elections are trivial to count.  You literally just sort the ballots into a few piles.  And because the count is simple it is also fast.

The Ontario provincial switch to vote counting computers is wrapped with PR about technology, but it’s actually about staffing.  (The underlying concept is literally called "Proposal for a technology-enabled staffing model for Ontario Provincial Elections".)  Basically it’s hard to get people to staff elections now, and they’re tired by the end of the day which means they are sometimes not in the best shape to do a bunch of precise counting.  There are many many ways to address elections staffing.  For example, you could simply bring in people, e.g. High School students, to do the count at the end of the day.

Addressing a staffing problem by completely changing the counting trust model wouldn’t have been my choice.  And I would assert that the only reason it’s even possible is because people don’t realise the trust model has been radically changed.

In any case, online voting is a much much worse problem that vote counting computers, so this is about all I have to say about the vote tabulators issue.

Previously:
May 11, 2018  2018 Ontario Provincial Election to use vote counting computers

2018 Ontario Provincial Election to use vote counting computers

The 2018 Ontario Provincial Election taking place on June 7, 2018 will for the first time use vote counting computers province-wide.  This replaces hand-counting of ballots.

The computer vote tabulators use optical scan technology to read hand-marked paper ballots.

This is the least-worst use of computer technology for vote counting as the hand-marked ballots are still available to be counted.  However, these are still computers that have to be programmed, which means there is always the potential for errors or malicious code.

Key Questions

Fundamentally in elections, you don’t trust anyone.  That means you don’t trust the computer vote tabulator either.  Use of computer vote tabulators introduces the following key questions:

  • Will there be a public hand-counted risk-limiting audit following every election, to test the computer count?
  • In the case of a recount, will the ballots be hand-counted under judicial supervision, or will the ballots be run through the computer vote tabulators again?  (It appears that the legislation requires a hand count of the recounts to use a manual hand-count of the paper ballots.)

The new voting procedures were launched with a May 9, 2018 press release (PDF) and accompanying media event.

Elections Ontario is modernizing the voting process and putting the needs of electors first by introducing technology in the polls. Election officials will be using electronic poll books (e -Poll books) and vote tabulators across the province for advance voting. On election day, 50% of the polls will have vote tabulators and e-Poll books … serving 90% of electors.

There was a Canadian Press story by Liam Casey, see e.g. CBC News – Ontario to use electronic voting machines for first time in spring election – May 9, 2018.

The tabulator is a Dominion Voting ImageCast® Precinct computer optical scan vote tabulator.

The history is buried in the post-event reports for two byelections that tested the technology:

It is very clear from the Proposal that the key issue is staffing; the technology is being introduced to address poll staffing issues.

Additional Questions and Considerations

Disclaimer: I am not a lawyer.

Additional questions raised by the use of computer vote counting equipment:

  • Are there provisions for erasing the digital copies of the ballots stored by the vote counting equipment? (I see no procedures described in law. Organisations often do not consider the security implications of digital copies of scans, see e.g. CBS News – Digital Photocopiers Loaded With Secrets – April 19, 2010.)
  • What are the security implications, in particular the chain-of-custody implications, of sharing computer vote counting equipment with other jurisdictions (e.g. Ontario municipalities)?  Doesn’t the risk of computer code alteration increase with each new jurisdiction that has access to the machine?
  • What are the procedures for transmitting the results of the computer count to Elections Ontario?  Is the count based on printouts from the vote tabulators, the vote tabulator memory cards, or transmission over a network?  What are the security implications of permitting the computer vote counting equipment to be connected to a network in order to transmit the count?  See e.g. Freedom to Tinker – Are voting-machine modems truly divorced from the Internet? – February 22, 2018.
  • What are the procedures for handling the vote tabulator memory cards?

In the March 22, 2018 Guelph Mercury article Ontario’s voting system secure, chief election official says the following statement is made by the Chief Electoral Officer:

“The Ontario government has hired a cybersecurity team to assist any of the ministries with private security — and we’ve been working with that team over the last year, year and a half, and they’ve been working with all of our systems,” he said.

“They’ve been doing penetration testing, vulnerability testing … to ensure that our systems are up-to-date and secure. There have been some slight alterations based on their recommendations, and we are very confident and we take security very, very seriously.

“I want to make sure that all the systems and all the personal information that we have is protected.”

  • Will these tests be made available to the public?  Including both the test procedures and the results?
  • Why doesn’t the Ontario Election Act section 4.5 (3) 3. include independent security and integrity testing for computer vote tabulators, in addition to logic and accuracy testing, as is required for accessible voting equipment in 44.1 (5)?
  • Will the independent security and integrity reports required by 44.1 (5) be made available to the public?
  • Will the machines be made available for independent expert testing, by Canadian academics who are computer security experts?
  • Will the machines be made available for independent expert testing by hackers, e.g. in DefCon Voting Village or at e.g. Canadian Hackfest?
  • As the computer vote tabulators stack ballots in sequence in a bin, in theory it is possible to de-anonymise the votes by carefully tracking voters as they cast ballots.  Is there any provision for randomising the stacked ballots in order to prevent this potential risk?

For more about what it means to change from public hand-counted ballots to ballots counted by a computer from a private for-profit company, see computer vote counting is a radically different trust model.

Governing Legislation

The governing law is the Ontario Election Act, R.S.O. 1990, c. E.6

The relevant sections, modified in 2016 (Election Statute Law Amendment Act, 2016, S.O. 2016, c. 33 – Bill 45) and in force as of January 1, 2017 are:

  • Authority to share equipment and resources – 4.0.3 (1) The Chief Electoral Officer may make equipment, advice, staff, or other resources available to other electoral authorities in Canada.
  • Use of vote counting equipment – 4.5 (1) The Chief Electoral Officer may issue a direction requiring the use of vote counting equipment during an election and modifying the voting process established by this Act to permit the use of the equipment.

Next section blockquoted due to complexity:

Restrictions re equipment

4.5 (3) The following restrictions apply with respect to the use of vote counting equipment:

1. The equipment must not be part of or connected to an electronic network, except that the equipment may be securely connected to a network after the polls close, for the purpose of transmitting information to the Chief Electoral Officer.

2. The equipment must be tested,

i. before the first elector uses the equipment to vote, and
ii. after the last elector uses the equipment to vote.

3. For the purpose of paragraph 2, testing includes, without limitation, logic and accuracy testing.

4. The equipment must not be used in a way that en­ables the choice of an elector to be made known to an election official or scrutineer.

  • Recount conducted manually – 74.1 A recount that is made from the actual ballots shall be conducted manually, even if the original count was done by vote counting equipment. 2010, c. 7, s. 31.

The only section that speaks about voting equipment security appears to apply solely to section 44.1 Accessible voting equipment

Accessible voting equipment, etc.

44.1 (1) At an election, accessible voting equipment and related vote counting equipment shall be made available in accordance with this section and in accordance with the Chief Electoral Officer’s direction under subsection (2). 2010, c. 7, s. 24 (1).

Condition

(5) Despite subsection (1), accessible voting equipment and related vote counting equipment shall not be made available unless an entity that the Chief Electoral Officer considers to be an established independent authority on the subject of voting equipment and vote counting equipment has certified that the equipment meets acceptable security and integrity standards. 2010, c. 7, s. 24 (1).

There is no analogous section under 4.5 vote counting equipment.  Disclaimer: I am not a lawyer.

Canadian reports on election security and misinformation

Government of Canada

Academia

Estonian ID card vulnerability and upcoming election

On September 5, 2017 the Estonian Information Systems Authority – Riigi Infosüsteemi Ametit (RIA) reported that researchers have found a vulnerability in the Estonian digital ID card:

Possible Security Vulnerability Detected in the Estonian ID-card Chip

This is a serious issue in general, as the card is at the heart of citizen digital interactions with the government, but has particular implications for Internet voting, as the ID card is key to the functioning of the voting system, enabling amongst other features the unique Estonian ability to vote multiple times with only the last vote counting (including choosing to vote in person on election day, cancelling all previous Internet votes).

There are local government council elections coming up soon, with online voting starting in a month, running from 5 October 2017 to 11 October 2017 (online voting is only available for advance polls, not on election day).

Estonia Local Gov Council Elections 2017

above from Municipal council election 2017

According to the Is the ID-card safe? FAQ, the National Electoral Committee (Vabariigi Valimiskomisjon) will decide whether to proceed with online voting.

UPDATE 2017-09-06: In its September 6, 2017 meeting, the National Electoral Committee decided to proceed with online voting in the October elections.  Reported by err.ee – Electoral committee: Online voting in October elections still on / Valimiskomisjon: e-hääletamine toimub.  ENDUPDATE

The analysis of the ID-card vulnerability, by “[a]n international group of cryptography scientists from recognized universities” will be “published in the coming autumn at an international scientific conference” according to the ID-card safety FAQ.

UPDATE 2017-09-06: There’s more detail about the specific vulnerability, which is appears to be a computationally-intensive, technically-challenging way to determine the private key from the security chip, in Postimees article Hackers could have made digital clones / Häkkerid võinuks luua eestlastest digikloonid.  ENDUPDATE

Links in English

Links in Estonian

Additional Context

Original story via Bruce Schneier – Security Flaw in Estonian National ID Card

As Estonia is the only country in the world with national Internet voting, I have written about it many times:

June 16, 2017  evaluation of Predicting the Future – online voting – Estonia
July 8, 2016 Estonian Internet voting and turnout myths
March 8, 2011 Estonian vote-counting system fails
November 11, 2004 e-voting in Estonia

For a perspective on security concerns with the Estonian system that predate the ID card issue, it is also important to read the materials on the website Independent Report on E-voting in Estonia as well as

evaluation of Predicting the Future – online voting

I want to give credit to Andrew Weinreich for the first two of his three Predicting the Future online voting podcasts.

Episode 7 (Online Voting episode 1): Can online voting defeat the broken Electoral College?

Episode 8 (Online Voting episode 2): Hacking elections, DDoS attacks, and online voting around the world

What I liked is that he gives people time and space to talk, in particular in episode 8 there is lots of time given to Dan Wallach, enabling Dr. Wallach to clearly articulate his positions around online voting.  As well, David Dill has an opportunity to provide his position.

(Both Dr. Wallach and Dr. Dill are on my list of Internet voting computer security experts.)

You can listen to this podcast and learn a lot about the computer science perspective, which isn’t often the case.  (In a similar vein of presenting computer science expertise well, consider Reveal’s podcast Internet voting is a bad idea.)

You know there’s a “but” coming, right…

Expert Assessment of Risk

Where things run into problems in the Predicting the Future podcast, particularly in episode 8 about hacking elections, are in the weighing of risk and in the summation of the computer science expertise.

I have seen similar disconnects in discussions about municipal online voting.  Basically what happens is the computer scientist says there are risks, and the counter-argument that is presented is that there are also benefits, but this misunderstands scientific communication.

What the computer scientists are saying is not that there are risks (everything has risks) but that it is not possible with current technology to adequately mitigate those risks.   Basically this is a problem of estimative language, and it’s why national security agencies have entire systems to describe what they mean when they say something.

Here’s an an example of estimative language from the Canadian Communications Security Establishment (Annex A of Cyber Threats to Canada’s Democratic Process).

CSE Annex A Estimative Language

You can see similar language in Annex B of US Intelligence report ICA 2017-01D.

What computer scientists are saying is that compromise of online voting is Very Likely, and that there is no way to mitigate the risk below Very Likely.

There is simply no benefit that outweighs an 80% or more possibility that your election results can be hacked.  And that would be even if Internet voting were implemented with all possible best practices, but the evidence is it almost certainly wouldn’t be.  There have been examples time and again of election technology security falling somewhere between lax and incompetent.

Sometimes I cite this language from the Utah iVote Advisory Committee Final Report (April 2015):

Given that sufficiently secure Internet voting systems do not yet exist, they would need to be built.
Of course, some systems, like a stone bridge to the moon, are impossible to build. Others, like a stone bridge to Hawaii, are so exorbitantly expensive as to remain a fool’s errand.

which is to say, there are some things that are either currently not possible or beyond the realm of affordability.  This is based on expert assessments.  You may not want to believe the assessments, but that doesn’t make them untrue.  Sometimes truth is inconvenient.

We are talking about adding a lot of additional security risks, unnecessarily

Security threats not found in current Canadian federal paper election system
(above from Table 1: Security threats to elections not found with in-person, hand-counted paper voting in Canadian online voting report, citing Dr. Essex)

Political System Issues and Turnout

Fundamentally, the goal of the podcast is to explore turnout.  But only from a technology lens.  Which is, basically, solutionism.  Technology is not always a solution, and it’s definitely not always the best solution.

I am ill-placed to comment on turnout in the United States, but there are two lenses one could apply.  One is process design.  For this I look to The epic journey of American voters.

Fix the process burdens described in the Center for Civic Design’s report, and a big part of voting will have improved.

Just as one example, in many countries, the state actively tries to ensure that voters are registered.  For Canadian federal elections, they used to literally go door to door to ensure people were registered, in a process called enumeration.  Now, checking a single box on your Canadian federal tax return ensures you’re registered to vote.

The second lens is what I would call voting constraints.  The US elections are not an unconstrained system in which the only thing preventing voting is convenience.  There are two significant constraints imposed that could be addressed through a combination of technological and political measures: one is the (to non-Americans) absurd level of gerrymandering of districts (enabled to a large part by what one could consider misuse of technology in order to microtarget the district designs) and the other is the deliberate attempts to suppress turnout through various measures (an evolution of the Jim Crow era, in which there were constraints like voting literacy tests).

If you want to talk cost/benefit, then fixing the process, removing gerrymandering and eliminating voter suppression would be (in my non-American opinion) far more impactful than online voting.  Make sure you’re solving the important problems, not just the technologically interesting ones.

So there are real problems, and real solutions.

Now let’s come to turnout.  Turnout is very complex.  It depends on lots of factors including the issues, the candidates, and the political culture.  It can vary from election to election in the same location.  Trying to compare across countries that have very different cultures and issues is a bit of a mess.  And trying to compare across vastly different sizes of elections is also a mess.  The evidence is that offering online voting just causes people to shift voting channels, it doesn’t bring in new voters.  I have blogged about this many times before, e.g. online voting doesn’t increase turnout.

I do want to mention three countries specifically however:

  1. Canada
  2. Estonia
  3. Switzerland

Canada

There is only online voting in municipal elections in Ontario and Nova Scotia.  Voting in Ontario was extensively studied and the result is a maximum effect of 3% increase in voter turnout.

Goodman, Nicole and Stokes, Leah C, Reducing the Cost of Voting: An Empirical Evaluation of Internet Voting’s Effect on Turnout (October 6, 2016). Available at SSRN: https://ssrn.com/abstract=2849167

As you will recall, I earlier assessed risks to online voting as “Very Likely” (80% or greater potential for compromise).

So if you want to do an apples to oranges comparison, you’re basically looking at 3% turnout increase in exchange for adding massive risks to the integrity of your voting system (in the shift from paper ballots to online voting).

Estonia

Let’s be blunt: Estonia is a small country.  The total population is about 1.3 million.

The idea that we can trivially generalise from Estonia to Canada (30 times the population) or the US (300 times the population) is at best dubious.

In any case, Estonia provides all of its turnout numbers.  This gets presented in different ways according to the biases of the presenter.  I can, for example, use the numbers to say that after 8 years, less than a third of Estonians use online voting.  I can also say that Estonia’s turnout, with the magical boost of online voting was… only up 2.3% over 8 years and was lower than Canada’s completely paper-based turnout in 2015.

Statistics about Internet Voting in Estonia

Plus which, let’s be concrete about what less than a third means in real numbers of voters in Estonia.  It means approximately 176,000 votes cast online.

Do we seriously think countries are so interchangeable and voting cultures so universal that we can generalise from about 176,000 online votes in Estonia to about 128,000,000 votes in the last US Presidential election?  This is not about scaling up, this is a mouse and an elephant.  They’re not comparable.

And that’s setting aside the fact that the Estonian e-voting is not secure and that it relies on a every citizen having a national digital ID, which is spectacularly unlikely to ever be the case in the US.

As the only country with national online voting, I understand why Estonia comes up again and again, but let’s be realistic about the fact we’re talking about a system that 70% of the country’s voters don’t use, and that only represents 176,000 votes cast anyway.

Switzerland

Switzerland has voting in some municipalities in some cantons (not national or even state-level voting by any stretch).  Switzerland also has no culture of voting privacy (traditionally voting was done by show of hands, and in fact in many municipalities this is still the norm) and it has much more frequent votes on more things.  We are again talking about a small number of votes cast online (less than 300,000).  And we’re talking again about less than 25% of voters choosing to vote online.  And, as always, it doesn’t increase turnout anyway.  And in Switzerland one of the systems had to be removed because it was determined to be insecure.

How many ivoters in Switzerland

For more on Switzerland:

Country Examples Summary

Mostly we have small examples.  Without exception, the increases in turnout are between miniscule and nonexistent.  These are based on long-term, serious, analytical academic studies.  The evidence is in.  Online voting does not increase turnout.

Conclusion

I give lots of credit to Andrew Weinreich for doing really diligent and comprehensive research and for letting his guests clearly express their opinions.

Where I disagree is in the reframing following the computer science speakers, where Weinreich says (starting at 23:29 into the Hacking elections episode)

“Leading computer science academics are deeply sceptical of Internet voting and are actively campaigning against its utilisation, not because theoretically they don’t think it’s a solvable problem, but because they don’t think it’s worth solving.”

This misrepresents the computer science position (which is incidentally a consensus position of the 96,000+ member Association of Computing Machinery).  The computer science position is that based on known risks and known results (including the cases I have presented above), the risk is too high and the benefits are minimal at this time.  And that the properties of paper ballots cannot be replicated online.  This is an expertise and evidence-based conclusion.

The computer science position is that this is an interesting problem, and one worth continuing to research.  And indeed there is active research on online voting in many different computer science departments and organisations around the world, in part because it is such an interesting and difficult problem.  But we are nowhere near having a solution, so in the same way we aren’t trying to solve electricity problems by promising a Mr. Fusion in every house tomorrow, we shouldn’t creating the expectation that online voting will be workable any time soon.

And keep in mind the computer science conclusions about security were drawn long before the recent incidents of nation-state cyberattacks, which take the risk to an entirely new level.  You can mitigate against an amateur attack, and even against a moderately professional attack.  You cannot mitigate against a nation-state funded expert attack.  If the NSA wants to get into your system, they will.  That’s the level of threat we now know we face.

And that’s just the risks on the technical side, that doesn’t even touch on the possibility of coercion or online guided voting.  Vote online says Mark Zuckerberg.  How far from that to “Facebook has voted for you based on your preferences”?  (And to Weinreich’s credit again he explores some of the possible disruptions that online voting would cause for campaigns and advertising.)

Online voting doesn’t solve any of the very real problems of voter turnout.  In fact it’s so low down the list of potential solutions that when the City of Calgary wrote a 2017 report on increasing turnout (PFC2017-0259 Election Outreach) online voting was rejected deep down in an Appendix (Section 2.1 Internet voting in Attachment 3, to be precise).

I admire when people want to improve their democracy, want to increase turnout, want to improve the experience of voting.  But online voting is not the solution.  Solve the real problems instead.  They are big, and they are hard, and they are mostly political.