NWT Chief Electoral Officer’s Report on the Administration of the 2019 Territorial General Election

The Legislative Assembly of the Northwest Territories will hold a public briefing on the Chief Electoral Officer’s Report on the Administration of the 2019 Territorial General Election on Tuesday June 30, 2020 at noon Eastern time.  This report is significant because this was the first Canadian general election in which online voting was permitted at a provincial or territorial level.

The Standing Committee on Rules and Procedure, …, will hold a public briefing regarding the Chief Electoral Officer’s Report on the Administration of the 2019 Territorial General Election on Tuesday, June 30, [2020] at 10:00 AM MDT [noon Eastern time]. Dr. Aleksander Essex will be in attendance.

To watch the meeting, tune in to the live stream on ntassembly.ca, or on the Legislative Assembly’s Facebook, Youtube, or Twitter accounts.

They identify five election technology systems:

  1. Elections NWT website hosted by GNWT
  2. Electorhood website hosted by ColdFront Labs (was electorhood . ca, but website is now gone)
  3. Elections NWT Learning Management System (LMS) hosted by Kellett Communications
  4. Elections NWT Elections Management System (EMS) hosted by DataFix
  5. Online Voting Platform hosted by Simply Voting

In case this terminology isn’t clear, the online voting was procured from the third-party, for-profit company Simply Voting, which ran the entire online voting system.  The code is proprietary and has not been made available for independent analysis.  This model of handing over the entire operation of online voting to a private for-profit company is the one used in all Canadian online voting to date.

I will quote part of the Security section of the report

To ensure the security and integrity of all Elections NWT online environments, and the election process as a whole, a security assessment was conducted on all five of Elections NWT online Platforms.

An agreement was made with Hitachi Systems Security to perform a Web Application Assessment and Penetration Test of the Elections NWT online systems.

This is a routine measure to secure an ordinary web server used for government services.  It treats online voting as if it is any other web-based government service.  But online voting has a uniquely higher level of risk and may attract sophisticated attackers, who will do a lot more than a vulnerability scan in order to compromise a system.

The Hitatchi Systems Security report has not been made public, even though there is no security in obscurity.

Overall, the Election Technology section of the report does not propose any threat model.  Without a threat model, there is no way to determine what assessments should be used.

The most basic possible online voting model must include:

  • the client
  • the network
  • the online voting server
  • the code running on the online voting server

Security – The Client

The client (the voter casting the vote) is a huge security gap that is simply not considered in most online voting security analysis conducted by governments.  Votes are cast from personal computers and smartphones.  Computers and smartphones that are notoriously insecure.  And often not updated with operating system and software application patches for known vulnerabilities.  Where is the vulnerability scan and assessment for every single voter?

In the absence of client security, there are a wide variety of possible attacks, including software that watches for voting activity and alters the votes cast.  If this sounds theoretical, this is exactly what banking trojan software does.  F5 identifies over a dozen different major named banking trojans, it’s not an uncommon type of attack.  In another type of attack, realistic-looking false websites are set up to direct voters to fake voting websites or applications for a variety of malicious purposes.  If this sounds theoretical, it’s exactly what some ransomware attackers did when a Canadian COVID-19 contact tracing application was announced.

If you want an analogy, considering online voting secure if the server and network were somehow secure, but without client security, is like having thousands of dollars visible in the front window of your unlocked house, but then transporting it by armored car to a bank vault.  Where do you think a thief is going to target their attack?

But of course the network and the server aren’t secure.

Security – The Network

From the client’s router through to the core network hardware, there are continuous vulnerabilities in networks.  How continuous?  Well here are three different network vulnerabilities from just the past week:

Security – The Server

There are very sophisticated attackers that target specific government activities.  You don’t have to believe me.  You can read e.g. the Canadian Centre for Cyber Security Cyber threats to Canadian health organizations (AL20-008 – Update 1).  The counter-argument to that is usually “why would anyone attack my election?”  But that is no counter-argument.  To quote the Centre for Cyber Security

Sophisticated threat actors may choose to target Canadian organizations

There’s nothing about elections that would prevent them from being targeted; if anything they are potentially a very attractive target for many reasons.

Patching the kind of routine web vulnerabilities a penetration test is going to find is a necessary measure but almost meaningless against sophisticated attackers who can exploit much more challenging and obscure vulnerabilities using entire teams of people trained in compromising computer systems.

In addition to this, Canada has no mechanism whatsoever for inspecting the actual code that the third-party vendors are running on their servers.  Even if somehow the entire chain of client through network to server were secure, the online voting code itself could have bugs.

Look to Switzerland

We need much stronger security assessment of Canadian online voting, including independent security analysis with access to the actual online voting code.  Switzerland has been a world leader in putting in place the legislative framework for this kind of inspection, as I outline in my blog post

Swiss voting technology law sets the standard, in theory

and finding even that inadequate, Switzerland has now surveyed international experts for guidance on how to further enhance the legislative framework for examining the security of online voting systems.  And notably Switzerland has paused all online voting until they can get a system that passes that assessment.

Security – Summary

It is good that the Northwest Territories conducted penetration testing

All tested applications showed good resilience against known Web attacks and were not vulnerable to any injection flows, privileged escalation, broken access controls or sensitive data exposure.

Many Canadian municipalities procuring online voting don’t conduct even this very most basic security measure.

However, this level of basic web server security is wildly inadequate for online voting.  The threat actors are much more sophisticated, the level of risk is much higher, and the integrity of the system requires the entire voting process to be secure, end-to-end.  Canada needs to examine online voting security using a threat model that includes every step actually involved, including the client, the network, and the online voting code.  Collaboration with Canada’s Centre for Cyber Security and developing much more extensive independent assessment criteria based on the Swiss model would be a starting point.

The Actual Online Voting Numbers and Countries

Online voting was made available for absentee voting only.  489 ballots were cast, making this voting channel 3.7% of all ballots cast.

In the table “Absentee Poll Electronic Ballot Turnout by Country” the report indicates that ballots were cast from Canada (459 ballots), the US, France, Philippines, Denmark, Serbia, Spain, Japan, Norway, New Zealand, Zambia, Switzerland, Italy, Mexico, Morocco, and Germany.

Keep in mind how much additional, uncontrolled, non-Canadian Internet infrastructure some of these online voting interactions had to traverse.

Analysis of Recommendations for Legislative Changes

Many of the recommendations are about clearly separating voting by mail from voting online.

43 Powers of the Chief Electoral Officer – Create – report page 94

The Chief Electoral Officer may establish procedures in respect of voting by online ballot.

This would effectively make online voting a permanent option for Territorial elections, with basically no parameters around what the procedures should be.

If we are to have online voting (and to be clear, I don’t think we should), this lack of requirements and standards is a huge gap that could be addressed with a Swiss model that is much more prescriptive about assessing online voting.

45 Security of the Ballot Box – Section 153 (2) – Create – report page 95

The Chief Electoral Officer shall take precautions to ensure the safekeeping and security of the ballot box and ballots used for voting by online ballot.
S.N.W.T. 2010,c.15,s.17; S.N.W.T. 2014, c.19,s.20, 21.

As above, this is better than nothing, but far from the level of prescriptive requirements that would be needed, starting with an actual threat model including every step and participant in online voting, and advancing with Canadian Centre for Cyber Security guidance to a model much more like Switzerland where there is outside independent assessment by experts.

Just compare the level of requirements actually needed with the current model, which is a routine web server penetration test, with results in a secret report not provided to the public, and no assessment whatsoever of the vendor’s secret computer code that actually runs the online voting.

How can we have trust in an election where the security measures are a secret assessment of only the web servers, an assessment that didn’t even include looking at the actual computer code?

There is more in the recommendations but quite frankly I’m out of time.

Next Election

The next Territorial General Election is expected on October 2nd, 2023.

SIDEBAR: The Chief Electoral Officer’s Report on the Administration of the 2019 Territorial General Election is also available from the Elections NWT website (PDF).  END SIDEBAR

May 21, 2019  Questions about online absentee voting in the NWT

Newfoundland Select Committee on Democratic Reform

The Newfoundland and Labrador House of Assembly has had a Select Committee on Democratic Reform.

UPDATE 2022-05-23: The 49th General Assembly dissolved prior to the [2020] Committee’s deadline to report.  The Committee is now disbanded.  It is replaced to some extent by the 2021 All-Party Committee to Modernize the Elections Act.  For more information see Newfoundland 2021 All-Party Committee to Modernize the Elections Act.  END UPDATE

Continue reading “Newfoundland Select Committee on Democratic Reform”

Internet Voting Privacy and Security Risks report from OIPC Newfoundland

The Newfoundland and Labrador Office of the Information and Privacy Commissioner (OIPC) has released a very clear report that explains the unique characteristics of the secret ballot and elections, and examines the risks that would be introduced by implementing Internet voting.

Internet Voting – Privacy and Security Risks (PDF)

It also asks a very fundamental question: what problem is Internet voting trying to solve?

In reviewing reports and public documentation from Canadian jurisdictions where internet voting has been implemented it appears that there has been little to no concerted effort on the part of governments, prior to implementing internet voting, to 1) identify the problem to be addressed and 2) understand what has caused the problem.

In the case of internet voting, it is not even clear that there is a problem [that is being solved]. If the problem can be framed as lack of participation in the democratic process, this is a much broader problem than the method of voting.

The report was authored by Sean Murray, Director of Research and Quality Assurance.

The report is particularly timely as Newfoundland and Labrador has established a Select Committee on Democratic Reform that is to review voting systems and methods.

For more on OIPC Newfoundland and Labrador, see:

Remote voting in the UK House of Lords

On June 10, 2020 the UK House of Lords posted Online voting to be introduced in House of Lords for the first time.

NOTE: This is a separate system from the UK House of Commons.  For information about that system see instead Remote voting in the UK House of Commons – Remote Divisions become reality.

House of Lords

There isn’t much technical detail in the post, it just says

Members of the House of Lords will soon be able to vote remotely for the first time when the House of Lords launches an online voting system. Members will be able to vote on a smartphone, laptop or other device.

The system is being developed by the UK Parliamentary Digital Service.

Hopefully a technical blog post will be available once it launches.

The House of Lords indicates that the first remote voting may take place as soon as June 15, 2020.

UPDATE 2020-06-15: The House of Lords is indeed voting remotely on June 15, 2020.

Online voting in #HouseofLords starts today.
Twitter – @UKHouseofLords


Parlimentary Voting vs General Election Voting

As a reminder, Parliamentary votes are different from votes in a general election in at least three major ways:

  1. Votes can be coerced (in fact the role of the Whip is basically to enforce party direction on how to vote)
  2. Votes are not anonymous
  3. Votes are not secret

That being said, there are still lots of considerations for remote voting and technology voting, including concerns about the chain-of-custody, as multiple systems are most likely involved with the transmission and counting of the vote, concerns about auditability and concerns about security.

It’s because Parliamentary votes are public that it is possible to implement a remote voting system for the House of Lords.

Conversely, the anonymous secret ballot in a general election cannot be implemented using remote voting (online voting).  For a very clear explanation of the issues with online voting in the context of general elections, see Eric Geller’s Politico article Some [US] states have embraced online voting. It’s a huge risk.  For a more in-depth academic analysis, see the 2018 consensus report of the US National Academies of Sciences, Engineering and Medicine (NASEM): Securing the Vote.