Tag: online voting

How to enact remote voting for the Canadian House of Commons

As best I understand, the Government requested on May 25, 2020:

(f) the Standing Committee on Procedure and House Affairs be instructed to review and make recommendations on how to modify the Standing Orders for the duration of the COVID-19 pandemic as part of an incremental approach beginning with hybrid sittings of the House as outlined by the report provided to the committee by the Speaker on Monday, May 11, 2020, including how to enact remote voting, provided that (i) the provisions applying to committees enumerated in paragraph (e) shall also apply to the committee, (ii) the committee be instructed to present a report no later than Tuesday, June 23, 2020, (iii) any report which is adopted pursuant to this paragraph may be submitted electronically at any time with the Clerk of the House, and shall be deemed to have been duly presented to the House on that date, (iv) following the presentation of any report pursuant to this paragraph, the House leaders of all four recognized parties may indicate to the Speaker that there is an agreement among the parties to implement one or several of the recommendations of the committee and the Speaker shall give effect to that agreement;

With the disclaimer that I don’t read every single line of Hansard, I gather this passed on May 26, 2020.

So the Standing Committee on Procedure and House Affairs, otherwise known as PROC, is charged to produce a report on enacting remote voting by June 23, 2020, which is very little time indeed to gather evidence and analyse it.  They have already produced a report recommending remote voting (Internet voting), as detailed in my previous blog post.

It’s not clear the extent to which they understand the amount of effort that will be needed, given the complexity of implementing a remote voting system with robust authentication in a Canadian context with the technology we actually have in place, as the discussion on the previous report included statements such as:

I think this section [on remote voting], given the recommendation, is really substantiated by the U.K. Parliament and how quickly it moved to implement an electronic remote voting procedure.

What’s interesting about the things that I think are really relevant is that Karen Bradley is quoted in that letter. I would recommend that this quote appear in our report. She said, “The Committee is satisfied with the assurances it has been given about the security of the system.”

Also, I did a bunch of Google searching—

The UK uses a completely different technology infrastructure than Canada, their Parliamentary votes are conducted differently, and they have a dedicated Parliamentary technology team, the Parliamentary Digital Service. The situations are not interchangeable.

As I’ve said in my previous post:

There really needs to be a separate, dedicated, technology-focused report just on electronic voting (Internet voting) for the House of Commons that gives more specific guidance including an assessment of risks and risk mitigations.

As I indicated in my post about the UK system, you have to consider a variety of complex issues when introducing a voting system.

Considerations for a voting system include the chain-of-custody, as multiple systems are most likely involved with the transmission and counting of the vote, concerns about auditability and concerns about security, as well as usability.

So it’s good that there will be a separate report, but there isn’t enough time to do much of an investigation.  And ideally an investigation will involve more than “I did a bunch of Google searching”.

At a minimum, PROC needs to consider:

  1. For every voting scenario, how remote voting would work, or if it would not be possible to replicate the attributes of the in-House voting scenario remotely.  (I link to all the different ways a vote can be conducted — Putting the Question as it is called — at the end of this post.)
  2. How to deal with authentication, to reduce the risk that someone other than the Member of Parliament is voting.
  3. How to make the system usable, including reducing the risk of Parliamentarians voting the opposite of the way they intend (it took all of a day for this to happen in the UK).
  4. How to implement the system using modern software development approaches, learning the lessons of previous failed IT systems.
  5. How to detect and deal with situations in which the Parliamentarian is voting under duress.

Hopefully their duress solution will be better than the April 2020 U.S. Senate staff report‘s idea:

Another option would be to provide senators with a code word that they could use to make clear to those in the chamber that they were voting under duress.

I would also note that that same staff report indicated:

that system will become a prime target for adversaries … wishing to disrupt the system to undermine confidence in the country’s institutions, or to alter the outcome of significant votes. Therefore, any system the Senate adopts must provide a level of security that would ensure confidence in the validity of senators’ identities and votes similar to that which exists on the Senate floor.

Presumably in conducting its analysis PROC will be continuing the Parliamentary Duties and the COVID-19 Pandemic work.

Keeping in mind that remote Parliamentary voting is not at all the same as voting in a general election, most notably because Parliamentary votes are public, with no anonymity and no secret ballot, here is information about Submitting a brief to a Committee:

Guide for submitting briefs to House of Commons Committees

The Clerk of PROC is Justin Vaive, and the email address is PROC@parl.gc.ca

Previous Posts

For more information see my previous posts:

Putting the Question

As one might expect, Bosc and Gagnon provides a detailed explanation of the voting process in the House.

Chapter 12 – The Process of Debate – Decisions of the House – Putting the Question

You can read all the details there, but I have to include the marvelous Figure 12.3 Putting the Question. Law as code, if you will.

Figure 12.3 Putting the Question
Image depicting, in a series of boxes linked by lines, the steps required for the House to make a decision on a question. It begins with debate concluding, followed by the Speaker putting the question, then listing options for voice votes or recorded divisions. If necessary, the Speaker casts a deciding vote. At the end, the Speaker declares that the motion has been adopted or rejected.

(Above section copied from previous blog post.)

Set Up a Secure Electronic Voting System for the Canadian House of Commons, Recommends Procedure and House Affairs Report

I’m going to preface this with a plea: if an electronic voting (Internet voting) system proceeds, please involve computer security, voting system, voting technology, user experience, and web design experts from inside and outside of the government.

Also, for any journalist reporting on this: it does not mean that we could use Internet voting in a general election.  Parliamentary votes are not anonymous and not secret.  Parliamentarians vote by literally standing up in front of everyone else.  It’s a public vote.

I will also mention that in 2016 the ERRE committee already recommended, and in 2017 the government accepted, that there should be no Internet voting in general elections.

In the Parliamentary context, if they wanted to make this simple, they could just have a voice vote over videoconference (one by one, unless you want vocal chaos), or e.g. have people hold up cards on videoconference that say “Yea” or “Nay”.  It’s nothing like an anonymous secret ballot general election.

Committee Recommendation

On May 15, 2020 the Canadian House of Commons Standing Committee on Procedure and House Affairs (“PROC”) released its fifth report of this session: Parliamentary Duties and the COVID-19 Pandemic.  I will focus only on section Discussion – A. Observations and recommendations – ii. Legal and procedural matters – (e) Voting.

Committee recommendations are not binding on the Government; the course of action will depend on the Government’s response.

The Committee therefore recommends:

That the House of Commons set up a secure electronic voting system for conducting votes in virtual sittings as soon as possible in order to guarantee the right of members to vote safely in the event of a pandemic or any other exceptional circumstances threatening their safety and/or that of their families and communities.

Par conséquent, le Comité recommande :

Que la Chambre des communes mette sur pied un système électronique de vote sécurisé pour la tenue des votes dans le cadre des séances virtuelles, et ce, aussitôt que possible, afin de garantir le droit des députés à voter en toute sécurité en cas de pandémie ou dans toute autre circonstance exceptionnelle menaçant leur sécurité et/ou celle de leurs proches et de leurs communautés.

Note that these procedure changes are intended to be temporary.

(b) Temporary nature of procedural changes

Witnesses appearing before the Committee have been unanimous in their viewpoint that any changes made to the procedures and practices of the House of Commons should be temporary and made in response to the challenges of the COVID-19 outbreak.[85]

[85] For example, see House of Commons, Standing Committee on Procedure and House Affairs, Evidence, 1st Session, 43rd Parliament, Meeting 11, 23 April 2020, 1240 (Emmett Macfarlane, University of Waterloo); and [Hon. Anthony Rota, Speaker of the House of Commons], 1120. [original footnote link: [85]]

Considerations for Remote and Internet Voting

See the end of this post for the current process of Putting the Question, as it is called.  I will walk through each of the voting scenarios as it applies to remote presence and then Internet voting.

Speaker puts the question.

  • No dissenting voice – seems like this could be done by videoconference as long as everyone is present and the technology is working
  • Dissenting voice – Voice division – Since this is literally all of the members shouting at once, I don’t see how this could be done by videoconference.
  • Dissenting voice – Members call: “On division” – I can’t actually figure out how this works.  I think this is a way to anonymously register dissent concerning a voice vote – if so, there is no way to reproduce this feature in a simple online system.
  • Recorded division – All members in favour rise as their places and their names are called, then all members opposed rise in their places and their names are called – this could easily be done on videoconference as long as everyone is present and the technology is working.  Maybe not by having them stand, but by having some visual or text signal, e.g. they could literally raise their hand or make some other indication in the chat channel.
    • A recorded division may be conducted in one of two ways: as a party vote or as a row-by-row vote. Generally, a recorded division on an item of government business is conducted as a party vote, and a recorded division on an item of Private Members’ Business is conducted as a row-by-row vote.  (i.e. this is the same procedure, just with people called in a different order depending on whether it is a party vote or a row-by-row vote.)

So I’m not actually convinced you need Internet voting.  Except for voice division, you could just call on people one by one over videoconference the same way we already do when they are physically present in the House.

I’m not sure what the driver for introducing electronic voting (Internet voting) would be, other than the hope that it would be faster than calling on people over videoconference.  It means a big and rapid investment in authentication infrastructure, web infrastructure, and software design.

The UK implementation of “remote voting” built on an entire pre-existing infrastructure, was developed by a dedicated UK Parliamentary Digital Service, and still encountered challenges.  I’m not sure that Canada has the same technology infrastructure in place, and we definitely don’t have a Canadian Parliamentary Digital Service.

Hidden inside that single word “secure” in the Procedure Committee (PROC) recommendation is a whole world of technology complexity.

Need for a Separate Report and Modern Software Development Practices

There really needs to be a separate, dedicated, technology-focused report just on electronic voting (Internet voting) for the House of Commons that gives more specific guidance including an assessment of risks and risk mitigations.

UPDATE 2020-05-27: The committee has been called upon to produce a report on how to enact remote voting by June 23, 2020.  See my blog post How to enact remote voting for the Canadian House of Commons for more information. END UPDATE

As I indicated in my post about the UK system, you have to consider a variety of complex issues when introducing a voting system.

Considerations for a voting system include the chain-of-custody, as multiple systems are most likely involved with the transmission and counting of the vote, concerns about auditability and concerns about security, as well as usability.

Auditability is a really challenging one.  Basically either each individual MP would have to check that their vote has been counted based on their intention, and even then, they’re no longer all standing in a room where they can see how other members voted.  Unlike counting people in a room, online it’s hard if not impossible to get a good sense of whether the vote count reflects the votes cast.

Auditability considerations are somewhat mitigated by the party system, in which votes are whipped and party whips will check to see that members voted as expected.  Auditability is an even greater concern in the case of a free vote.

Usability is a key consideration for any new interface.  It only took a day for some UK members to vote the opposite way from what they intended.

Security is also a challenging one given that computers can lie, with customized malware capable of showing one result (e.g. a Yea vote) on screen and sending another (e.g. a Nay vote) to the voting software.  In that light, it’s worth mentioning that every month there is a Patch Tuesday, with May’s software updates including both Microsoft and Adobe releasing patches for vulnerabilities (“A remote attacker could exploit some of these vulnerabilities to take control of an affected system.”)

There is also a larger question, deeply related to human intentionality, about the physical and psychological differences between literally standing to be counted versus tapping a square on a screen.

The House would do well to draw upon the Government’s existing guidance for modern software development, including the Digital Standards.  The Standards surface a number of key approaches that help mitigate the risks of software development, including:

  • Design with users
    Research with users to understand their needs and the problems we want to solve. Conduct ongoing testing with users to guide design and development.
  • Iterate and improve frequently
    Develop services using agile, iterative and user-centred methods. Continuously improve in response to user needs. Try new things, start small and scale up.
  • Work in the open by default
    Share evidence, research and decision making openly. Make all non-sensitive data, information, and new code developed in delivery of services open to the outside world for sharing and reuse under an open licence.
  • Address security and privacy risks
  • Empower staff to deliver better services
    Make sure that staff have access to the tools, training and technologies they need. Empower the team to make decisions throughout the design, build and operation of the service.
  • Collaborate widely
    Create multidisciplinary teams with the range of skills needed to deliver a common goal. Share and collaborate in the open. Identify and create partnerships which help deliver value to users.

Briefs Submitted

You can see all the briefs submitted in evidence to this study.  The only ones relevant to electronic voting (Internet voting) :

  • two voting technology vendor submissions
  • a submission including expert cybersecurity considerations explaining why unlike for a general election, Internet voting is feasible for Parliamentary voting

Parliamentary voting, on the other hand, is entirely workable from a cybersecurity perspective because it differs from general elections in three crucial ways.

First, an MP’s vote is a matter of public record, which makes it possible to verify it was correctly recorded and counted. Second, the federal government has the resources to provide MPs with the necessary cybersecurity infrastructure to ensure the protection of electronic information. Third, the government has the capacity to provide MPs training on procedures necessary to ensure votes are successfully entered into the record.

  • a non-technical submission from Gregory Tardi that outlines some reasonable considerations

Bearing in mind the ever-present failings of computer-based systems, if the House decides to function in a virtual fashion, perhaps even on a temporary basis, it should gather two fundamental and vital working groups from among the staff of the House Administration:

  • a working group of legal advisors to engage in liaison with like-minded jurisdictions, especially from Commonwealth states, designed to exchange information on the best ways to ensure democracy, constitutionalism and the maintenance of parliamentary privilege, and
  • a working group of technical experts, whose principal task would be to design failsafe methods for the protection of MPs identity in their access to the system.

In order to render a virtual functioning of the House of Commons viable, the highest grade of hardware and software should be placed at the disposal of Member. Particular care should be taken in methodologies to verify each participating Member’s identity. In its preparation for the 43rd federal general election, Elections Canada worked extensively to prevent computer intrusion and fraud. That experience could be put to good use here.

If you find it surprising that only 1 of 14 briefs submitted would have independent expert technology analysis, the normal number of briefings from computer science subject matter experts submitted to a Canadian Parliamentary committee is sadly zero. Witnesses called to present at committee and briefs submitted are overwhelmingly individuals with political science or social science backgrounds.  In the 2016 Special Committee on Electoral Reform (ERRE) they called a single computer science expert in online voting, out of 196 witnesses called, even though online voting was a specific subject of consideration for the committee.

Canadian Parliamentary committees need to do better in seeking out computer science subject matter expertise.  On this topic, I will mention I have a list of over a dozen experts with Internet voting and computer security expertise.

Background – Electronic Voting Within the House

The issue of electronic voting within the House has been considered.  House of Commons Procedure and Practice, Third Edition, 2017 (referred to as Bosc and Gagnon) says basically there hasn’t been any recent action to implement electronic voting.

Chapter 12 – The Process of Debate – Decisions of the House – Calling the Vote and Announcing the Results – The Issue of Electronic Voting

The Issue of Electronic Voting

Proposals to install a system for electronic voting in the Chamber have been made over the years with a view to improving the management of the time of the House.382 In 1985, the Second Report of the McGrath Committee recommended computerized electronic voting, but the matter was not taken up by the House.383 In 1995, the Standing Committee on Procedure and House Affairs, noting that the practices of deferring several votes to the same day and time, and of applying results of votes, had “greatly speeded up the voting process”, recommended that the House not proceed at that time to a system of electronic voting.384 In 1997, the Committee briefly returned to consideration of the question of electronic voting, but did not report to the House.385 In 2003, a special committee endorsed the principle of electronic voting in the Chamber and recommended in two of its reports to the House that the necessary electronic infrastructure be installed in the Chamber during the summer of 2004.386 While the greater part of this infrastructure was installed as recommended, no further action has been taken in respect of electronic voting.

I’ve left in place the footnote links to the Procedure and Practice website, rather than pulling them all out within this blog post.

I have written a previous blog post considering this issue: Electronic voting in the Canadian House of Commons.

House of Commons Administration Report

UPDATE 2020-05-21: The report Virtual Chamber: A Report in Response to the Statement of the Speaker of the House on April 8, 2020 – May 7, 2020 – Version 2.0 (PDF) is available.  It has a brief section related to remote voting under the heading “Decision making” on page 18.  It’s a report from the House of Commons Administration on their considerations and analysis of what is possible; it’s not the same as a committee report.  END UPDATE

Putting the Question

As one might expect, Bosc and Gagnon provides a detailed explanation of the voting process in the House.

Chapter 12 – The Process of Debate – Decisions of the House – Putting the Question

You can read all the details there, but I have to include the marvelous Figure 12.3 Putting the Question.  Law as code, if you will.

Figure 12.3 Putting the Question
Image depicting, in a series of boxes linked by lines, the steps required for the House to make a decision on a question. It begins with debate concluding, followed by the Speaker putting the question, then listing options for voice votes or recorded divisions. If necessary, the Speaker casts a deciding vote. At the end, the Speaker declares that the motion has been adopted or rejected.

Remote voting in the UK House of Commons – Remote Divisions become reality

On May 12, 2020 the UK House of Commons conducted its first remote Division (remote vote).

UK Parliamentary Business – News – MPs cast first ever remote votes in Commons Chamber
The vote was conducted through MemberHub, the UK Parliament’s member website, which has Microsoft authentication.  Multi-factor authentication (MFA) was used to protect the authentication for the remote voting (the Internet voting).

There is some background on the development of the system in a Wired UK article by Chris Stokel-Walker: Inside the troubled, glitchy birth of parliament’s online voting app

Messaging about the voting system, which piggybacks on existing parliamentary IT systems, through the MPs MemberHub application, hasn’t been enormously clear. …

“We were asked to start looking into it just before Easter weekend,” says Matt Stutely, of Parliament Digital Services, who has been developing the voting service. Stutley dug out what he calls “a dusty chest of war plans we have in case we were ever asked to implement [online voting]”.

UPDATE 2020-05-14: Matt Stutely, the Head of Business Systems Development for the Parliamentary Digital Service, has written a blog post about the process of developing this service in the incredibly tight timeline of four weeks.

MPs make history with remote voting – the story of how it happened

In early April 2020, we were asked by the House of Commons to build a remote voting application for Members in just four weeks.

He indicates that making a service for remote voting (Internet voting) for the House of Lords will be next.

END UPDATE

UPDATE 2020-05-13: On May 6, 2020 the Procedure Committee wrote to the Speaker about the remote voting system.  The correspondence system has the full letter (PDF).

Members who by their actions facilitate a non-Member to cast a vote in a division of the House are very likely to be found to have committed a contempt of the House and to have breached the Code of Conduct, and can expect to be punished accordingly.

Call for Evidence

The Procedure Committee is conducting a Call for Evidence about all aspects of changed procedures during Coronavirus restrictions.  The call ends 3 June 2020.

Full Report

On May 8, 2020 the Procedure Committee issued a full report regarding remote voting in divisions.

This report notes:

The integrity of the system depends on Members. The remote voting system is not as secure as a system where a Member must vote in a division lobby in person.

and the Rt Hon Karen Bradley MP, Chair of the Procedure Committee, said

The present remote voting system was developed at high speed as a temporary measure for use during the pandemic.

For more information:

There is some technical detail in the full report, although at a very high level.  See Technical aspects of the remote voting system on pages 11-16 of the PDF above (items 23 through 51).

24. System security is delivered by the use of MemberHub, which uses single sign-on and multifactor authentication. All data is encrypted and sent over a secure connection, and voting records are stored in both MemberHub and the existing electronic divisions system. The bicameral Information Authority has issued a decision statement confirming it is content with the information security of the remote voting system, taking account of advice it received from the National Cyber Security Centre. The Speaker has been informed of the Information Authority’s decision.

28. The existing arrangements for divisions in person through the lobbies have particularly secure authentication arrangements which may be evident but are worth repeating here. To gain access to a voting lobby a Member must first gain access to a secure area of the estate using a security pass with a photo, and must pass a number of security staff and doorkeepers. In order to vote successfully, a Member who has taken his or her seat in the House25 must pass through a lobby containing several other Members and typically actively patrolled by party whips, and must then give a name to a division clerk and pass out of the lobby between two tellers.

29. This high level of authentication is not replicated in the remote voting system over MemberHub. …

30. The Committee’s opinion on the suitability of the remote voting system over MemberHub is given on the basis that the system is designed for temporary use during the COVID-19 pandemic and has not been designed for permanent use to replace the existing arrangements for physical divisions.

END UPDATE

Remote Division

Before the remote Division, the Speaker made a Statement, including:

I ask all Members to pay careful attention to what the Procedure Committee says about the integrity of the system. As the Committee states, any attempt to allow anyone who is not a Member to vote is likely to be a serious breach of privilege.

The UK House of Commons and UK Parliament Twitter feeds shared images:

Remote Division was called.

The results are in Hansard and can be viewed in detail at https://votes.parliament.uk/Votes/Commons/Division/783

More detail about the system is expected to be forthcoming in a blog post by the UK Parliamentary Digital Service this week.

Parliamentary votes are different from votes in a general election in at least three major ways:

  1. Votes can be coerced (in fact the role of the Whip is basically to enforce party direction on how to vote)
  2. Votes are not anonymous
  3. Votes are not secret

That being said, there are still lots of considerations for remote voting and technology voting, including concerns about the chain-of-custody, as multiple systems are most likely involved with the transmission and counting of the vote, concerns about auditability and concerns about security.

Auditability is a really challenging one.  Basically either each individual MP would have to check that their vote has been counted based on their intention, and even then, they’re no longer all standing in a room where they can see how other members voted (unlike the Canadian system where members stand one-by-one to be counted, in the UK MPs literally go to gather together by Aye and No votes in two physically separate locations, as described in the Voting section of MP’s Guide to Procedure).  Unlike counting people in a room, online it’s hard if not impossible to get a good sense of whether the vote count reflects the votes cast.

Security is also a challenging one given that computers can lie, with customized malware capable of showing one result (e.g. an Aye vote) on screen and sending another (e.g. a No vote) to the voting software.  In that light, it’s worth mentioning that the vote took place over the web on Patch Tuesday, with both Microsoft and Adobe releasing patches for vulnerabilities (“A remote attacker could exploit some of these vulnerabilities to take control of an affected system.”)

It will be interesting to learn what risks were identified and how they were mitigated.

There is also a larger question, deeply related to human intentionality, about the physical and psychological differences between literally standing to be counted or literally voting with your feet by moving to one room or another, versus tapping a square on a screen.

Remote voting (Internet voting) in a Parliamentary context is different from electronic voting in the chamber itself.  I covered some of the considerations for in-chamber voting in the Canadian context in my blog post Electronic voting in the Canadian House of Commons.

The First Incorrect Votes

In a remote Division on 13 May 2020, the Deputy Speaker reported

I have been informed that a small number of Members have inadvertently cast their votes, by electronic means, in the opposite way to the one in which they intended to vote. I am informed that their use of technology was not quite as good as they felt it ought to be and that a few Members have made a mistake. There is no provision under the current temporary system by which a Member can change their vote once it has been cast, but I am satisfied that even if a small number of votes had been cast in a different way it does not affect the result of the Division.

When such a situation is detected and affects the result of the Division, the Speaker has the authority to call a revote:

If problems in the conduct of a remote division which might have affected the result are reported after the result is announced, the Speaker may declare the division to be null and void and make arrangements for it to be re-run.

Auditability in a Whipped Parliamentary System

This also gets to a point about voting in a whipped Parliamentary system, which is that in the absence of a free vote, Whips are expecting votes along party lines, which makes it pretty easy to detect potential voting errors.  So there are definitely different auditability concerns than in a totally free vote; even if an individual member doesn’t notice they have voted opposite from their intent, their party is likely to notice very quickly.

SIDEBAR: This is another example of how Internet voting in a Parliamentary context differs from Internet voting in a general election.  In a general election, in order to preserve the secret ballot and to limit coercion, it must not be possible for anyone, including the elector, to show how they voted, or to verify how they voted.  Which makes one wonder e.g. how many Ontario and Nova Scotia municipal Internet votes might have been incorrectly cast, with no way to verify the intended result.  END SIDEBAR

News Story

In a story that I think is probably from PA Newswire, with headline including “amid remote voting errors”, it was reported

The division list showed 22 Conservative MPs supported the amendment, and in theory rebelling, although they included Chancellor Rishi Sunak – who made a mistake in the voting process rather than staging a shock bid to depart the Government.

A source close to Mr Sunak blamed “online teething problems with the system”, adding: “The Chancellor did not intentionally vote against the Government. He called the chief whip straight away to explain.”

As dozens of newspapers and news sites carried the wire story, you can pick your source, the first one that comes up in Google for me is the Express and Star.

Background

Remote voting (Internet voting) was authorised by the UK House of Commons Speaker on May 6, 2020 and was extended to May 20, 2020 by agreement of MPs.

The system was developed by the UK Parliamentary Digital Service.  Thanks to the Parliamentary Digital Service and Head of Business Systems Development Matt Stutely for responding to my questions on Twitter.  Thanks to the Procedure Committee, on Twitter @CommonsProcCom, for sharing links to its detailed report.

Elections Quebec consultation on Internet voting

Elections Quebec (Élections Québec) is consulting consulted on Internet voting (vote par internet).

https://www.electionsquebec.qc.ca/internetvoting/

The consultation closed November 3, 2019

You could answer a survey in English or en français.

You could also submit a position paper in English or French by email to

consultation_vpi@dgeq.qc.ca

Information en français https://www.electionsquebec.qc.ca/voteparinternet/

There is also a short URL which will land you on the French page http://voteparinternet.quebec/

Moratorium on electronic voting

I think it’s important to remember that in its 2005 elections, Quebec had severe problems with electronic voting.

“We all remember the events that marked the municipal elections of November 6, 2005,” recalled the Chief Electoral Officer. “Not only did the systems fail, but the corrective measure proposed were insufficient, poorly adapted and often came too late. … “

« Nous nous souvenons tous des événements qui ont marqué les scrutins municipaux du 6 novembre dernier », a rappelé le directeur général des élections. « Non seulement des systèmes ont fait défaut, mais les correctifs proposés étaient insuffisants, mal adaptés et souvent tardifs. … »

The problems were so severe that the Directeur général des élections du Québec (DGEQ) declared a moratorium on electronic voting in Quebec.

Many Canadian Internet Voting Studies

It is also worth noting that Ontario, British Columbia, New Brunswick and the Government of Canada all did various types of extensive studies or consultations on online voting at the provincial or national level, and all of them rejected it.  Nova Scotia and PEI have also examined online voting at the provincial level and rejected it.

See Canadian reports recommending against Internet voting.

Many National Internet Voting Studies

In addition, Finland studied and recommended against national Internet voting, Norway actually did trials of Internet voting and then rejected it, and Switzerland (which never had very much Internet voting) now has none because of security issues.

See Internet voting at the national level.

No Internet Voting in Canadian Federal Elections

For an overview of why Canada doesn’t have national Internet voting, including questions about turnout and security, see Why is there no online voting in Canadian federal elections?

Internet voting in Switzerland

There is currently no Internet voting in Switzerland, primarily due to security issues.

It’s complicated to write about Internet voting in Switzerland for several reasons:

  • Switzerland has a political structure of cantons, voting is done by canton with different systems in each canton
  • Switzerland does not have a history of voting privacy; historically and in a few locations even today voting is done by a public show of hands
  • Switzerland has many votes throughout the year on what are basically referenda
  • Switzerland has a good, but quite complex, set of regulations around Internet voting

Internet voting has been an option in some cantons.  I believe testing began in 2004.  Because of the Swiss Internet voting regulations, as best I understand the maximum percentage that can vote online is 30%.  (More than 30% voting online triggers additional requirements.)

The 30% figure is a bit misleading however.  Because only some cantons participated in online voting trials, it was open to just 3.8% of the overall electorate in September 2018 (and now is not available at all).1

1 Source – Slides “Trust in e-voting” (PDF, 1 MB, 07.02.2019), from Federal Chancellery FCh > E-Voting

As indicated above, the absolute number of voters was always relatively small.  In my own analysis of reports available online, I find that under 5% of the eligible voters vote online, representing 200,000 or fewer votes per voting period.  (My understanding is that voters have to register in advance to vote online; it’s not clear to me whether the numbers in these reports are just the number of registrations, or the actual number of ballots cast online.)

The map below summarizes the online voting testing that has been done by cantons, as well as making it clear that there is currently no online voting at all (in French « Pour l’instant, il n’est pas possible de voter par voie électronique en Suisse », roughly translated “For the moment, it is not possible to vote online in Switzerland”).

La Suisse - Essais de vote électronique dan le cadre de scrutins fédéraux
La Suisse – Essais de vote électronique dans le cadre de scrutins fédéraux

Above map from Chancellerie fédérale ChF > Vote électronique.

Turnout

Research indicates that turnout did not increase, specifically youth turnout didn’t increase.2

2 Internet voting and turnout: Evidence from Switzerland, by Micha Germann and Uwe Serdült in Electoral Studies, Volume 47, June 2017, Pages 1-12. https://doi.org/10.1016/j.electstud.2017.03.001

Background on Geneva and Swiss Post

Geneva developed two systems, CHvote 1 and CHvote 2.  As best I can understand CHvote 1 has been suspended, and there’s no money to further develop CHvote 2 to the level it would need to reach.

Swiss Post developed two systems, including a new one with a third-party for-profit private vendor.  The old system is being discontinued.  As required by Swiss law, the new system was put to a public intrusion test (with restrictive conditions) and the source code was made available (with restrictive conditions).

Swiss Post makes a remarkable claim about the new system.

The new system with universal verifiability was subject to a public intrusion test (PIT) in spring 2019. During the test, it withstood attacks from over 3,000 international hackers.

This is at best misleading.

The conditions on both the general testing and the availability of source code were restrictive.

There was not in any sense either unrestricted public testing nor unrestricted publicly available open source code.

And, through access to the source code outside of the restrictive agreement, three serious flaws in the system were found.

You can read e.g. Researchers Find Critical Backdoor in Swiss Online Voting System by Kim Zetter.

Three reports are available about the Swiss Post system from the Swiss government site, two in English and one in German.

    • Final report Locher, Haenni and Koenig (English) – (PDF, 1 MB, 29.07.2019) – Members of the e-voting research group at the Bern University of Applied Sciences BFH (Philipp Locher, Rolf Haenni, Reto E. Koenig): analysis of the cryptographic implementation of the Swiss Post voting protocol
    • Final report Teague and Pereira (English) – (PDF, 731 kB, 29.07.2019) – Vanessa Teague (The University of Melbourne, Parkville, Australia) and Olivier Pereira (Université catholique de Louvain, Belgium): analysis of the cryptographic protocol and its implementation according to the system specification
    • Final report Oneconsult (German) – (PDF, 303 kB, 29.07.2019) – Oneconsult: Review of Swiss Post’s operational security measures

Why is there no online voting in Canadian federal elections?

The short answer is that a Parliamentary Special Committee on Electoral Reform studied the issue and recommended against online voting in federal elections in their 2016 report

Recommendation 4
The Committee recommends that online voting not be implemented at this time.

and in 2017 the Government accepted the recommendation in its response to the report

We will not implement online voting at this time.

Here are some Frequently Asked Questions:

  1. Q: Don’t many countries offer online voting in national elections?
  2. Q: Won’t online voting increase turnout, including increasing youth turnout?
  3. Q: Aren’t there studies showing smartphone mobile voting increases turnout?
  4. Q: What standards does Canada have for online voting and computer vote counting?
  5. Q: Don’t we already have the security needed to conduct online transactions?
  6. Q: Aren’t these kinds of attacks on online voting theoretical?
  7. Q: Maybe we need more study of Internet voting in Canada?
  8. Q: What do computer scientists say about online voting?

Please feel free to ask additional questions.

Q: Don’t many countries offer online voting in national elections?

A: No, the only country in the entire world that offers online voting for all citizens in national elections is Estonia, population 1.3 million. The majority of Estonians still choose to cast their votes on paper; only 247,232 votes were cast online in the 2019 Estonian Parliamentary election.

Estonia’s turnout in its 2015 national election was 64.2%.  That’s turnout lower than Canada in its own 2015 national election; Canada’s turnout in 2015 was 68.3%.

Estonia’s 37.6% turnout in the 2019 European Parliamentary elections ranked it 20th of 27 countries for turnout.

For more information see:

In terms of other countries and national online voting:

Q: Won’t online voting increase turnout, including increasing youth turnout?

A: No.  Over and over again, at different levels of government in different countries, no.

Estonia’s turnout is generally declining.

Switzerland saw no effect on turnout.

For many other examples see Online voting doesn’t increase turnout.

I understand that it seems intuitive that voting is about convenience, so online would increase turnout, or that voting is about familiarity, so making it online would increase voting by young people who are already used to doing things online.  This mental model of voting convenience increasing turnout is simply not supported by the evidence.  People choose to vote or not vote for complex reasons.

Q: Aren’t there studies showing smartphone mobile voting increases turnout?

A: No, there was a single study. With a sample size of 144 (one hundred and forty-four) votes.

The paper was presented at the 2019 Election Sciences, Reform, & Administration Conference (ESRA 2019), in the section Public Trust in Elections.  Promises and Perils of Mobile Voting – Anthony Fowler (Univ. of Chicago).

You can see the sample size on page 7: “In total, 144 votes were cast with a mobile device in the November election.”  You can see the total number of votes cast at https://sos.wv.gov/news/Pages/11-16-2018-A.aspx (or archived version in the Internet Archive).

Here’s some advice on citing scientific studies: be very careful when citing a single study that has a small sample size.

It’s also important to note that in the exact same paper, on page 2, Fowler states:

Several European countries abandoned internet voting after seeing that the increases in turnout were not as large as expected…

Q: What standards does Canada have for online voting and computer vote counting?

A: Canada has no standards whatsoever for online voting and computer vote counting (vote tabulation).  Really.

Sometimes systems for computer vote counting at the Canadian municipal level are certified to voluntary US standards, often extremely dated (2005) voluntary standards.

Ontario has finally recognized this as an issue, with Elections Ontario recommending establishing standards and certification for elections technology.

Q: Don’t we already have the security needed to conduct online transactions?

A: Voting is a unique interaction due to the need to both verify that an individual is eligible to vote AND ensure that each individual’s vote is completely anonymous.  This is a very different problem from e.g. online banking, where transactions are not anonymous, in fact they are known to both the bank and the individual.  Banking online is actually not completely secure, but the shared knowledge of transactions enables false or erroneous transactions to be reversed.

The US National Academies of Sciences, Engineering and Medicine (NASEM) has a comprehensive study process, used to arrive at a scientific consensus.  In their report Securing the Vote, they find “There is no realistic mechanism to fully secure vote casting and tabulation computer systems from cyber threats.” and “the risks currently associated with Internet voting are more significant than the benefits”.  For more information see Securing the Vote – US National Academies 2018 consensus report.

The requirement for anonymity is based on the history of voting, where voting was heavily coerced.  People used to have to vote by public declaration, and would be paid or rewarded for voting a certain way (or punished if they didn’t vote for the desired candidate).  For an overview of some of that history from a US perspective, see Andrew Appel’s video Internet Voting? Really?.  For an extensive account from an Australian perspective, including the history of the creation of the secret ballot (also known as the Australian ballot) see Judith Brett’s book From Secret Ballot to Democracy Sausage.

If the idea of someone trying to compromise a Canadian election seems improbable to you, please check out Canadian reports on election security and misinformation, including two reports from Canada’s government cybersecurity agency.

If the idea of someone attacking Canadian government computers seems theoretical to you, it’s important to know that key Canadian government departments including the Finance Department, Treasury Board Secretariat, Defense Research and Development Canada and the National Research Council have all been successfully hacked.

Q: Aren’t these kinds of attacks on online voting theoretical?

A: No, see Practical Attacks on Real-world E-voting (including Internet voting in section 7.3) by J. Alex Halderman and e.g. Researchers Find Critical Backdoor in Swiss Online Voting System by Kim Zetter.

Q: Maybe we need more study of Internet voting in Canada?

A: Online voting has been studied and rejected at the provincial level by New Brunswick, PEI, British Columbia, Ontario, and Nova Scotia.  It has also been studied and rejected at the municipal level by Toronto and Waterloo, amongst other municipalities.

See Canadian reports recommending against Internet voting.

Q: What do computer scientists say about online voting?

Computer scientists, particularly computer security experts who specialise in election security, are overwhelmingly opposed to online voting.

For more information see Internet voting and computer security expertise.

Internet voting must be about public evidence not belief

Internet voting, and indeed any kind of trusted election must be about public evidence, not belief.

If we wanted to conduct elections based on belief, we’d just take all the ballots into a secret room and say “trust us, we believe we have all the right counting and integrity in place”, and then produce the final count of the votes basically out of nowhere.

If we did that with paper ballots people would be incredibly suspicious.  Who did the counting?  How can we be sure the ballots were honestly counted?  Where was the oversight?  Where are the ballots to provide the evidence?  Can we even trust the ballots now that they have been held in secret?  What if they were changed?

This seemingly-ridiculous scenario is actually a pretty accurate description of where Canada is now with Internet voting.

A typical “debate” scenario has a Chief Electoral Officer or city councillor or city staffer on one side, and a computer scientist on the other.  Not only is this a totally artificial “balance” of views, the main issue becomes assertions of belief without evidence, on both sides.

The electoral officer says believe us, we have all the necessary measures in place to make Internet voting trustworthy.  The computer scientist says they believe there are possible attacks.  And that’s it.  You’re left to try to decide which belief to believe.

Fundamentally elections are not supposed to work like this.  Elections are not about trust and belief, they’re about evidence.

Maybe after having the anonymous paper ballot for so long we’ve forgotten that it was designed to provide public evidence, it’s not just a haphazard system we ended up with.

So Internet voting must provide public evidence, but it doesn’t.  Internet voting in Canada should provide public source code, but it doesn’t.  Internet voting in Canada should provide a public opportunity to conduct realistic attacks on the real system, or a very close model of the real system, but it doesn’t.  Internet voting in Canada in fact produces zero public evidence.  In fact, both the provision of public source code and public attacks on the real system are illegal, the former because of intellectual property law and the latter because of cybersecurity law.  Which is why the computer scientist can only say “believe me, there are potential attacks” rather than actually demonstrating real attacks.

So for Internet voting, you now have to entirely transfer your trust to the election organisation, but actually it is worse than that, because with the third-party vendor model of Internet voting that Canada uses actually you’re entirely transferring your trust to the third-party, for-profit vendor.

What security tests are conducted on the vendor?  Sorry, that’s a secret.

What security measures are taken by the elections organisation?  Sorry, that’s a secret.

What security measures are in the code and the servers and the network the vendor provides?  Sorry, that’s a secret.

To be clear, I have a high degree of confidence that Canada’s public election organisations are doing their job with all necessary diligence and expertise.  But my confidence is irrelevant.  Confidence is not how you run elections, evidence is.  And in the transition to computer vote counting and Internet voting, we have totally changed our trust model without any meaningful public discussion (as I have mentioned before specifically about computer vote counting).

Maybe from now until the end of time, our public election organisations and their private vendors with secret code and secret testing will conduct themselves perfectly.

But this seems unlikely given human history plus the fact that every single time voting code is made available for inspection or opened to public attack, the code is shown to be insecure.  This ranges from Washington, DC in 2010 as documented by J. Alex Halderman, to Switzerland in 2019.

There are very good computer-theoretic reasons that you can’t trust Internet voting even if the code is found to be secure, including under real-world attack; there is as yet no solution for secure Internet voting.  But it is perfectly reasonable to experiment in low-risk, small-turnout situations.

An actual experiment would place Internet voting in the same space of public evidence as paper ballots.  Which means that Canada would need standards, public code and public testing.  You may be shocked to find out that unlike pretty much everything from your municipal water supply to any product you may buy, Canada has no, none, zero standards for Internet voting.  No mandatory requirements.  No mandatory testing.  No nothing.  Internet voting typically shows up as a single line about “electronic voting” in an alternative voting methods law or bylaw.  That’s it.

The absolute critical first step to bringing public evidence back to elections in the Internet voting era is to have some very basic foundational standards and requirements, starting for example with the Swiss model that requires both public source code and public security testing.

In the absence of bringing public evidence to the conversation about Internet voting, we’re just going to have year after year of the same pointless back and forth about election beliefs, a conversation that can never be resolved because there’s no actual evidence to draw conclusions from.