Canadian reports recommending against Internet voting

Internet voting has been studied.  Again and again.  Any time there is a comprehensive study, it recommends against online voting.

Here are the Canadian federal and provincial reports:

  • New Brunswick (A pathway to an inclusive democracy) – 2017
  • Government of Canada (Strengthening Democracy In Canada: Principles, Process And Public Engagement For Electoral Reform) – 2016
  • Prince Edward Island (Considerations for Applying E-Voting Options [Internet voting] in Canadian Public Elections – Independent Technical Panel on Voting Integrity) – 2016
  • British Columbia (Independent Panel on Internet Voting) – 2014
  • Ontario (Alternative Voting Technologies Report) – 2013
  • Nova Scotia (Internet and Telephone Voting in Nova Scotia) – 2012
  • Quebec (Evaluation Report of the New Methods of Voting that were Used during the Municipal Elections of November 2005 / Élections municipales de novembre 2005 : Rapport d’évaluation des nouveaux mécanismes de votation) – 2006

I can’t list every municipality, but here are a few municipal reports as well:

  • Toronto (EX20.5 – Changes to the Municipal Elections Act and Related Matters Impacting the 2018 Election – Part B – Voting Technology) – 2016
  • Waterloo (CORP2016-105 Alternative Voting Methods (Internet Voting)) – 2016

I don’t know how many times you have to study the exact same thing, year after year, decade after decade, before you eventually agree with the conclusion that we should not implement Internet voting.  Apparently many times.

It is very unfortunate that both Ontario and Nova Scotia, having investigated and rejected Internet voting at the provincial level, have left it to individual municipalities to decide whether to adopt Internet voting municipally, without any briefing or guidance or standards.  Basically municipalities are left to google and decide.  If the provinces had set even basic requirements, such as an independent public security test of all Internet voting systems, things would have gone very differently.  (If you think having independent public security tests of the systems would have too much risk, it’s worth mentioning that even the US Department of Defence has an official “Hack the Pentagon” initiative.)

Canadian reports on election security and misinformation

Government of Canada

Academia

Finland recommends against Internet voting

Finland did an extensive study in 2017, running from February to November, and reported its final results in December.

The report concluded that the risks of online voting outweigh its benefits.

The original government web page has been replaced by a new page: Nettiäänestyksen esiselvitys. Documents are in section Asiakirjat (“Documentation”).
SIDEBAR: The last archive of the previous Nettiäänestys page is from June 16, 2017. END SIDEBAR

Press releases

Reports

Key Statements

Online voting technology and the development of the structures required for the system are not yet at a level that would enable a sufficiently secure implementation and introduction of the system. There are still open questions in terms of verifiability and the secrecy of the ballot. It is not expected that the key risks related to online voting would be solved in the next few years.
The monitoring group came into the conclusion that online voting should not be introduced in general elections, because the risks involved are greater than the benefits. Online voting would not resolve the current problems, such as the low voter turnout.

Previously:
March 14, 2017  Internet voting in Finland

PEI 2016 Plebiscite Voting Integrity Audit Report recommends against federal and provincial Internet voting

Prince Edward Island (PEI) – 2016 Plebiscite on Democratic Renewal – Voting Integrity Audit Report – from the Independent Technical Panel on Voting Integrity (ITPVI) – November 30, 2016

This report is Section 3 Appendix in the 2016 Annual Report of the Chief Electoral Officer of PEI  (PDF), starting on page 35.

Section 11 of the Voting Integrity Audit Report is Considerations for Applying E-Voting Options [Internet voting] in Canadian Public Elections.

The report recommends against Internet voting at the federal and provincial levels, except for absentee voters.

There is a need to maintain an acute level of awareness of the risks to electoral integrity that these new voting methods present. The implications of a breach of the public trust that exists today suggests strongly that internet and telephone voting in Canadian provincial and federal parliamentary elections be considered channels that should be limited to use only by absentee voters for the immediate foreseeable future. …

It is important that leaders in Canadian electoral administration manage public expectations and articulate their concerns about the fact that a perfectly secure and fool-proof electronic voting system does not yet exist.

This recommendation was picked up in the news media, e.g. CBC News PEI – Online voting not ready for federal, provincial election: officials – May 4, 2017.

The group concluded a high-stakes provincial or federal election could attract groups looking to intervene in illicit ways through cyber-attacks, hacking or other means.

The report also does an excellent job of showing the “additional risks and controls associated with online electronic voting” [Internet voting]. These include (highlighting by me):

1. Trusted digital voter identification and authentication is a requisite additional control. An irrefutable digital identity is the first safeguard in ensuring that eligible voters can vote (and can vote only once), and in ensuring that ineligible voters are not permitted to vote. Establishing this identity with a robust ‘shared secret’ is a mandatory prerequisite.

2. The onus is on the buyers, designers, developers, maintainers and operators of any electronic voting system to demonstrate rigor in the specifications, certifications, accreditations, testing and operation of the e-voting system to ensure it is able to mitigate the full range of risks to a reasonable and acceptable level. This has to be achieved to a level of satisfaction regarding both hardware and software risk mitigation. The remaining level of risk needs to be accepted by all stakeholders.

3. With the elimination of the controls that were previously implemented in manually controlled voting processes (refer Appendix ‘G’: Controls C1 – C5), traditional risks are not as fully mitigated as before. In fact, the following risks are difficult to mitigate in any meaningful way:
a. Vote buying / vote secrecy (“I’ll just take a selfie in front of my screen”)
b. Voter coercion (Unless reported, it is impossible to determine if a vote is being coerced)

4. The risk of a voter voting with stolen credentials can only be partially mitigated by effective voters list management and the implementation of a trusted digital voter identification and authentication scheme. Digital voter identification must be robust, but it must also be easily managed so as not to become a barrier to voting because it is overly complex for a voter to use as seldom as once every four years.

5. The additional risks of compromised end-user hardware or software, or a broad regional or national attack on internet infrastructure, remain unmitigated.

The report also identifies the extremely high standard to which we must hold Internet voting, as the transparency provided by conducting paper ballot voting and counting in public are lost when using completely computerized processes.  Highlighting added by me.

The onus is also completely on the online electronic voting system implementer to ensure that controls are established within the e-voting system that meet the legislative requirements of the jurisdiction, and provide an adequate level of transparency for all stakeholders. Simply depositing electronic votes into a ‘black-box’ where they are stored and counted is unlikely to meet stakeholder demands for maintaining a high level of public confidence, unlikely to publicly show that voting risks are continuing to be
managed responsibly, and unlikely to prove to candidates and political parties that the electoral process and controls continue to deliver a trusted and accurate result.

SIDEBAR on turnout:
A demonstration of the reality of Internet voting turnout was the 2016 Prince Edward Island Plebiscite on Democratic Renewal which had 10 days of online voting in addition to two days of in-person voting. Not only was the overall turnout low at 36.5%, but the turnout for ages 18-24 was the lowest of any age range, at 25.47%.

Numbers from McLeod, G. B. (2016, November 9). Interim Report of the Chief Electoral Officer for the 2016 Plebiscite on Democratic Renewal. http://www.gov.pe.ca/photos/original/elec_demrefpleb.pdf
END SIDEBAR

Estonian municipal council elections 2017 – Kohalikud valimised 2017

Estonian municipal council elections finished at 8pm on October 15, 2017.

I’m writing now at 10:37pm Estonian time, as the results have been posted online.  I will update this post if there are changes.

UPDATE 2017-10-17:  Some information for context

  • Eligible voters for Parliamentary elections and eligible voters for Local elections are not the same, so the two types of elections are difficult to compare.  Local elections draw from a larger electorate.
    • 2013 Local elections – Eligible voters – 1,086,935
    • 2015 Parliamentary elections – Eligible – 899,793
    • 2017 Local elections – Eligible voters – 1,100,648
      Also I believe the 2017 local election is the first one in which 16 and 17 year olds could vote.
  • It’s important to be careful whether one is talking about voting as a percentage of total eligible voters, or voting as a percentage of actual voters.

END UPDATE

Summary: ONLINE VOTING IS NOT A SOLUTION FOR INCREASING TURNOUT.

There is no Internet voting on election day in Estonia, the online voting system is only available for advance voting.

The total number of Internet votes cast was 186,034 (one hundred eighty-six thousand thirty-four).  I don’t like comparing different types of elections as they have different characteristics, but just for the sake of a complete picture, the total number of Internet votes cast in the Parliamentary elections in 2015 was 176,329.  So the total increase is 9,705 (nine thousand seven hundred and five).  UPDATE 2017-10-17: However note that the local elections draw from a much larger pool of eligible voters.  END UPDATE

So while 186k online votes is indeed a record for Estonia, it is a relatively small absolute increase.  And I would caution strongly against projecting this result of under 200k online votes to jurisdictions with tens or hundreds of millions of voters.

The total number of votes cast was 367,199 (three hundred sixty-seven thousand, one hundred and ninety-nine), for a total turnout of 53.2%.

UPDATE 2017-10-17: The total number of votes cast was 586,523 (five hundred eight-six thousands five hundreds and twenty-three), for a total turnout of 53.3%.

Turnout DROPPED from the 2013 local elections, which had a turnout of 58%, for a turnout DROP of 4.7%.

So just to make my point super clear: Estonia has had online voting since 2005. After 12 years of offering online voting, they have managed a turnout of just over 50%, and that turnout dropped from the previous local election.
ONLINE VOTING IS NOT A SOLUTION FOR INCREASING TURNOUT.

You can see turnout percentages for this election at https://kov2017.valimised.ee/osavotu-statistika.html and details for past elections at http://vvk.ee/voting-methods-in-estonia/engindex/statistics/

UPDATE 2017-10-17: You can see the total number of eligible voters, the total number of votes cast, and the total number of Internet votes at https://kov2017.valimised.ee/valimistulemus-vald.html  END UPDATE

On https://kov2017.valimised.ee/osavotu-statistika.html the turnout for online voting seems to be is a separate item called E-HÄÄLI but I have to say I don’t really understand the numbers other than total turnout shown in the bottom right and the Internet voting turnout (as a percentage of TOTAL eligible voters) is 16.9%.  That is to say, only 16.9% of eligible Estonian voters chose to cast their ballot online.

There were seven days of advance voting (including Internet voting) in total, from October 5 to October 11.  You can see an overview of the voting schedule at https://www.valimised.ee/et/kohaliku-omavalitsuse-volikogu-valimised-2017 or in English at https://www.valimised.ee/en/municipal-council-election-2017

Previously:
July 8, 2016 Estonian Internet voting and turnout myths

Estonian ID card vulnerability and upcoming election

On September 5, 2017 the Estonian Information Systems Authority – Riigi Infosüsteemi Ametit (RIA) reported that researchers have found a vulnerability in the Estonian digital ID card:

Possible Security Vulnerability Detected in the Estonian ID-card Chip

This is a serious issue in general, as the card is at the heart of citizen digital interactions with the government, but has particular implications for Internet voting, as the ID card is key to the functioning of the voting system, enabling amongst other features the unique Estonian ability to vote multiple times with only the last vote counting (including choosing to vote in person on election day, cancelling all previous Internet votes).

There are local government council elections coming up soon, with online voting starting in a month, running from 5 October 2017 to 11 October 2017 (online voting is only available for advance polls, not on election day).

Estonia Local Gov Council Elections 2017

above from Municipal council election 2017

According to the Is the ID-card safe? FAQ, the National Electoral Committee (Vabariigi Valimiskomisjon) will decide whether to proceed with online voting.

UPDATE 2017-09-06: In its September 6, 2017 meeting, the National Electoral Committee decided to proceed with online voting in the October elections.  Reported by err.ee – Electoral committee: Online voting in October elections still on / Valimiskomisjon: e-hääletamine toimub.  ENDUPDATE

The analysis of the ID-card vulnerability, by “[a]n international group of cryptography scientists from recognized universities” will be “published in the coming autumn at an international scientific conference” according to the ID-card safety FAQ.

UPDATE 2017-09-06: There’s more detail about the specific vulnerability, which is appears to be a computationally-intensive, technically-challenging way to determine the private key from the security chip, in Postimees article Hackers could have made digital clones / Häkkerid võinuks luua eestlastest digikloonid.  ENDUPDATE

Links in English

Links in Estonian

Additional Context

Original story via Bruce Schneier – Security Flaw in Estonian National ID Card

As Estonia is the only country in the world with national Internet voting, I have written about it many times:

June 16, 2017  evaluation of Predicting the Future – online voting – Estonia
July 8, 2016 Estonian Internet voting and turnout myths
March 8, 2011 Estonian vote-counting system fails
November 11, 2004 e-voting in Estonia

For a perspective on security concerns with the Estonian system that predate the ID card issue, it is also important to read the materials on the website Independent Report on E-voting in Estonia as well as

Wales consults on electronic and Internet voting

The Government of Wales is running a consultation: Electoral reform in local government in Wales.  The consultation closes 10 October 2017.

A variety of questions are considered, but for the purposes of this blog there are three of interest:

  • Q21 electronic voting (this appears to be defined solely as paperless touch-screen voting in polling places)
  • Q22 remote voting (Internet voting)
  • Q23 electronic counting

In what I have found is fairly typical fashion, the main consultation paper (PDF) does not cite any references, and makes brief, broad, generally positive statements.  (The youth and “easy read” consultation versions in turn simplify and amplify these statements to an extreme degree.)

Responding to the Consultation

You can fill in an online form,

but in order to be able to provide more extensive comments, you may instead want to download the email response form (DOCX), complete it (or complete whichever sections are relevant to you) and send it to RLGProgramme@wales.gsi.gov.uk

Reminder that the deadline is 10 October 2017.

Q21 Electronic Voting

(page 18 in main consultation document)

This is defined solely as touch-screen voting. There is no mention of paper output, so presumably paperless touch-screen voting.

Extracts from statements + commentary

5.14. This implies the installation of equipment at polling stations (and possibly other locations) to enable touch-screen voting. …

5.15.  Electronic voting is already used widely internationally, particularly in India but also in Belgium and Estonia amongst others.

I think this is a misunderstanding of voting in Estonia.  As far as I know, Estonia doesn’t use paperless touch screens.  On voting day, voting is on paper.

There isn’t any serious examination of security risks to voting machines (voting computers), but there is the rather extraordinary assertion that electronic voting could lead to less challenging of “votes” (presumably this means fewer challenges to election results).

5.19. … there would need to be secure procedures in place to ensure the security of data being transmitted from the polling places to the central count operations. The challenging of votes could become less likely.

I, on the other hand, think paperless touch-screen voting would introduce not only high security risks, but would make challenges to election results both more likely and impossible to satisfactorily resolve (as there is no physical trail to audit).

Q22 Remote Voting (Internet Voting)

(page 19 in main consultation document)

It’s clear this means Internet voting.

Extracts from statements + commentary

5.20. This refers to a process of voting through access of the internet by an electronic device, using an individual recognition code. The use of codes of different sorts to ensure that only the intended person is accessing a system is now commonly used for purchasing, banking, voting in elections within political parties, trade unions and other organisations. Registration to vote is now routinely performed online, as is registering/taxing a motor vehicle and accessing a multitude of other public services or transactions.

Where to begin?  Voting doesn’t have the same requirements as banking; voting has much harder to satisfy requirements as the transactions have to be anonymous and aren’t reversible.  Voting is not a regular online personalised transactional service.

5.21. Remote voting was piloted in local elections at South Buckinghamshire in May 2007. Although only a minority made use of the facility, 10 years later the option is likely to be more popular. There were no particular technical difficulties but the Electoral Commission called for the pilots to be suspended – along with all others – until the system was generally more secure. There is a risk that, with registering being done remotely, fictitious voters could be created and that voting might not take place in secure environments. In addition, realistic concerns exist about cyber security, and any system needs to be as secure as possible from the dangers of hacking and manipulating votes. This must be weighed against this method becoming more and more commonplace in relation to other types of voting or completion of official forms and having likely efficiency savings. There are remote voting procedures operating in at least one European country allowing the casting of a vote more than once by the same person, with only the final vote cast before close of poll counting. This is to provide for the possibility that an elector may be subject to intimidation when voting but would take a later opportunity to vote in private.

In the list of examples that might have been chosen, South Buckinghamshire in 2007 is a rather oddly specific choice.  Plus which it’s very hard to locate those old voting trial documents online.

The usual assertion that online voting will be “popular”, without any context that online voting provably does not increase turnout.

I do like that there is at least some consideration given to security risks, but the idea that we should weigh “realistic concerns” about security against some vague notion of method popularity is odd.  One should weigh the security risks of one type of voting against the security risks of another, and optimise for voting system integrity.

While being oddly specific about South Buckhamshire, the document is oddly vague about “at least one European country” – in fact there is only one country in the world that offers national Internet voting, Estonia, and it is only able to have multiple vote casting because it has a comprehensive nationwide system of digital ID, something which the Wales document doesn’t mention.

There is also no mention of the many countries that have had reports recommending against Internet voting (such as Canada) or countries that have withdrawn Internet voting due to security concerns (such as France).

Q23 Electronic Counting

(pages 19-20 of the main consultation document)

I don’t really have the energy to examine the electronic counting piece in detail.  Basically what you need to know about electronic counting is that you MUST audit the counts because you cannot trust the counting machines (counting computers).  Which, if you have a simple count anyway, means that you’ve generated more work and expense, not less.  Electronic counting, with audits, only makes sense if you have a complicated count, and nevertheless distances the process of the election from direct public inspection and understanding.

UK Evidence

As I have mentioned, a lot of the UK evidence from previous voting trials is now hard to locate online.  But here are some nice clear statements from the UK Office of the Deputy Prime Minister (ODPM) in Implementation of Electronic Voting in the UK Technical Options Report circa 20031

A Comparison with Other Secure Transactions

It is useful to compare voting with other online transactions for which security is needed.

The most obvious comparison is with banking. Attacking an electronic voting system is unlikely to bring the immediate financial rewards that a successful attack on the banking system would, and thus some types of well-resourced attack are less likely. However, the likelihood of well-resourced attacks is still sufficiently high to be problematic.

The consequences of a successful attack are very different with electronic voting, than with banking, though. Banks can, and do, take a financial analysis of how much loss they can stand and insure against such losses. It may be that a political decision could be taken that the loss of a certain percentage of votes is acceptable, but in the absence of such a decision, security appropriate for banking cannot be considered sufficient for electronic voting. Banks have also maintained confidence in the face of repeated losses through computer crime by covering up the cause of those losses. It is inconceivable that, in the event of a successful attack on electronic voting, such a cover-up would be acceptable to the electorate if subsequently disclosed. In a similar vein, individuals can be, and are, compensated for financial losses due to disruption/failures/hacking of online banking. It is not easy to see how there could be equivalent compensation for disruption/failures/hacking of an individuals vote, even if somehow it was discovered which individuals were affected (which might not be possible with some sorts of disruption).

Another issue is anonymity: electronic voting differs from the aforementioned applications due to the fact that, in addition to the requirements for accuracy and privacy, there is the mandated necessity to provide … anonymity. In other words, banking applications can (in fact must) allow tracking back to the user of the system, but the [electronic voting system] must ensure that such tracking is impossible. (Mercuri, 2001, pp8-9).

Electronic voting also differs from financial transactions in that the risk that an election delayed by a few days will have a different result is unacceptably high. By contrast substantial financial transactions between two willing partners usually can be conducted a few days later if there are problems with ecommerce applications, since such transactions are rarely conducted on a whim.

The Mercuri citation above is to
Mercuri, Rebecca, 2001 Electronic Vote Tabulation: Checks and Balances PhD thesis, University of Pennsylvania.

1 From Paper Vote Canada blog post electronic voting in the UK – technical report, September 17, 2004. As the OPDM site is no longer available, a 31 July 2003 version from the Internet Archive is linked above.