Government of Canada statement on online voting and cybersecurity

May 30, 2017

Electoral Reform
Committees of the House
Routine Proceedings

Discussion introduced by Nathan Cullen (Skeena—Bulkley Valley, BC).

Madam Speaker, I move that the third report of the Special Committee on Electoral Reform presented on Thursday, December 1, 2016, be concurred in.

Above from Open Parliament https://openparliament.ca/debates/2017/5/30/nathan-cullen-1/

Later in the discussion, response (excerpt) by Andy Fillmore, Parliamentary Secretary to the Minister of Democratic Institutions

Another committee recommendation, number 4, advises against allowing online voting at this time. Again, we agree, and while Canadians who participated in mydemocracy.ca agreed that online voting would improve voter turnout, their support was contingent on the need for solid assurance that such a system would not be vulnerable to manipulation by hackers. Similar concerns were heard from the experts before the special committee.

…

I want to touch briefly on the Minister of Democratic Institutions‘ mandate to protect our electoral system from cyber-attacks. Working with her colleagues, the Minister of Public Safety and Emergency Preparedness and the Minister of National Defence, the minister has asked the Communications Security Establishment to analyze proactively the risks to our electoral system and to release a public report. Further, we will ask the CSE officer for advice for political parties on cybersecurity best practices.

Above from Open Parliament https://openparliament.ca/debates/2017/5/30/andy-fillmore-2/

I do need to mention that, despite the survey-question-driven assertion that “online voting would improve voter turnout”, the evidence is that online voting does not increase turnout.

Previously:
December 1, 2016  ERRE Electoral Reform Committee Recommends Against Online Voting
October 2, 2016  ERRE Presentation – Internet Voting: Making Elections Hackable – Dr. Barbara Simons

Updates on Internet voting worldwide

Many things are happening.  Too many things for me to write separate blog posts.  Here’s the situation as of March 8, 2017:

Canada

• Canadian Parliamentary Special Committee on Electoral Reform recommended against national Internet voting – see December 1, 2016 blog post ERRE Electoral Reform Committee Recommends Against Online Voting
• Canada’s Minister of Democratic Institutions was directed in her Mandate Letter to defend the Canadian electoral process against cyberthreats – see January 23, 2017 blog post defend Canadian electoral process from cyber threats
• New Brunswick legislature Commission on Electoral Reform recommended against Internet voting – see March 23, 2017 blog post New Brunswick Internet voting and page 21 of Commission report A pathway to an inclusive democracy
• Vancouver Independent Election Task Force recommended to city council that Vancouver conduct an online voting pilot, including asking the province to establish an independent technical committee – see slide 17 “Conduct an online voting pilot” of the Task Force presentation to council and pages 27-28 of the Task Force final report
• Many Ontario municipalities have approved Internet voting for the 2018 municipal elections (far more than this blog can track; it will probably end up being about 200 municipalities)

Everywhere Else

• The Netherlands will use hand-counted paper ballots due to cybersecurity concerns.  They have discussed almost totally eliminating computers from every step of the process.   See primary source  Uitslag verkiezingen moet boven alle twijfel verheven zijn (“Election results must be beyond all doubt”) and many secondary sources e.g. A small, tech-savvy nation gives up on computers in this month’s parliamentary elections.
• France has discontinued Internet voting (which was only offered to citizens abroad) due to cybersecurity concerns.  Terminology used is vote électronique.  See primary source Français de l’étranger – Modalités de vote aux élections législatives and many secondary sources e.g. France drops electronic voting for citizens abroad over cybersecurity fears
• Swiss Post has launched a demo of its third-party-vendor-based Internet voting solution, along with some accompanying technical documentation.  In the text they open the possibility of external evaluation, stating “Swiss Post is also working with universities to review the system from a neutral scientific perspective.”  See primary sources in English, French, German and Italian.  I encourage you to examine the documentation, available by clicking on Transparency and Publications on the page Swiss Post’s e-voting solution.
• The Prime Minister of Estonia has said the government will continue with Internet voting, but that it needs to “proactively test” its Internet voting systems to ensure they can withstand cyberattacks.  Terminology used is e-valimised (e-elections) and e-hääletamine (e-voting).  Secondary sources Keskerakond vilistab varasematele seisukohtadele? Jüri Ratas: e-valimised jäävad, e-valimised ei kao and tweet by @ottummelas.
• Lithuania has announced its intent to have national online voting, with a target of 20% of votes cast online by 2020.  Terminology used is balsavimo internetu (Internet voting).  Primary source is in the government’s plan page 18 section 3.2.2. Balsavimo internetu sistemos sukūrimas (3.2.2 Internet Voting System), secondary source Lithuanian government seeks to introduce online voting this year.
• Finland has formed a new Internet voting working group, to investigate the implementation of national online voting, with a completion/report date of November 30, 2017.  Terminology used is nettiäänestys (online voting) or Internet-äänestys (Internet voting).  Primary sources Finnish Government: Introduction of internet voting set as goal (2016) and Working group to conduct feasibility study on online voting (2017).  Secondary source Finland to allow voters to cast votes online in all general elections (2016).  The working group information page (in Finnish) is Nettiäänestys and includes some background documents as well as the list of the working group members.  Note that the email address etunimi.sukunimi@om.fi is just telling you that to contact someone you construct an email address with firstname (etunimi) dot lastname (sukunimi).  – See March 14, 2017 blog post Internet voting in Finland.  UPDATE 2018-02-28: Finland recommended against Internet voting.  END UPDATE
• In addition to Canada, a number of other countries have expressed concerns about cybersecurity of the entire electoral process, including cybersecurity for political parties.  This includes: the US, the Netherlands, France, and Australia.

defend Canadian electoral process from cyber threats – Minister of Democratic Institutions Mandate

In the mandate letter for Minister of Democratic Institutions Karina Gould, she receives direction to discontinue electoral reform activities

Changing the electoral system will not be in your mandate.

She is also directed to defend the current electoral system from cyber threats, by working with National Defence, Public Safety, and the Communications Security Establishment (CSE).

UPDATE 2017-06-19: The CSE has released its report on Cyber Threats to the electoral process.  ENDUPDATE

In addition through her, CSE is directed to analyze security risks to Canadian political and electoral activities, and to offer advice to Canadian political parties and Elections Canada on cybersecurity.

In collaboration with the Minister of National Defence and the Minister of Public Safety and Emergency Preparedness, lead the Government of Canada’s efforts to defend the Canadian electoral process from cyber threats.  This should include asking the Communications Security Establishment (CSE) to analyze risks to Canada’s political and electoral activities from hackers, and to release this assessment publicly.  As well, ask CSE to offer advice to Canada’s political parties and Elections Canada on best practices when it comes to cyber security.

(a copy of the mandate letter is also available in Archive.org)

Given the current cyber threat environment, with documented compromises of political party systems and elections-related systems, I consider this new emphasis on electoral process cyber security to be excellent.  Having CSE release its security assessment publicly is also a very important step.

Note that in addition to Canada and the US, the Australian Prime Minister also expressed his concern about foreign actors attacking political parties.

The [Australian] Federal Government is urging Australia’s political parties to steel themselves against potential foreign cyber attacks, as Prime Minister Malcolm Turnbull prepares to announce an unprecedented cyber security briefing for political parties to be held in Canberra early next month.

from ABC News – Government urges political parties to ‘keep themselves secure’ ahead of cyber security briefing – January 23, 2017

video – An Uninvited Security Audit of the U.S. Presidential Election

Computer security researchers J. Alex Halderman and Matt Bernhard report on US voting computer security and the attempts to conduct comprehensive audits of the 2016 election results (recounts) in Wisconsin, Michigan and Pennsylvania.

Video also available (including for download) at https://media.ccc.de/v/33c3-8074-recount_2016_an_uninvited_security_audit_of_the_u_s_presidential_election#video

Halderman and Bernhard were presenting at the hacker conference Chaos Communication Conference (CCC) on December 28, 2016.

The slides may become available on the presentation page https://fahrplan.events.ccc.de/congress/2016/Fahrplan/events/8074.html

Matt Bernhard tweets @umbernhard

You can find more about J. Alex Halderman in my list of computer security experts https://papervotecanada2.wordpress.com/2016/11/19/internet-voting-and-computer-security-expertise/#JAlexHalderman