Tag: Ontario

comment on The Agenda – Is Online Voting the Future?

TVO – The Agenda – Is Online Voting the Future? – May 17, 2017

COMMENT

In future I hope that TVO will invite computer scientists who specialise in elections security when the topic is online voting.

There were a number of things we didn’t hear in the segment, such as the fact that Toronto, Kitchener and Waterloo have always rejected Internet voting, and that Guelph and Orillia just rejected online voting for the 2018 elections.

We also didn’t hear about the many Canadian expert consultations and reports about online voting, consultations where unlike municipal online voting decisions, there was more time to draw on a variety of election expertise.

In every such case, without exception, the recommendation is against online voting. This includes Nova Scotia, New Brunswick, Ontario, and British Columbia, as well as the federal government.

END COMMENT

Also see my longer email with links – email to TVO about online voting.

email to TVO about online voting

Here is an edited version of an email sent to TVO about their May 17, 2017 The Agenda segment on online voting.

EMAIL

I was pleased to see Steve Paikin ask a variety of questions about online voting, Internet security and electoral fraud in the May 17, 2017 The Agenda segment on the topic.

http://tvo.org/video/programs/the-agenda-with-steve-paikin/is-online-voting-the-future

There were many things we didn’t hear in the segment, such as the fact that Toronto, Kitchener and Waterloo have always rejected Internet voting, or that municipalities have to make the decision about online voting without any comprehensive background briefing about the computer security risks, or that Guelph and Orillia just rejected online voting for the 2018 elections.

We also didn’t hear about the many Canadian expert consultations and reports about online voting, consultations where unlike municipal online voting decisions, there was more time to draw on a variety of election expertise.  In every such case, without exception, the recommendation is against online voting.

This includes Nova Scotia, New Brunswick, Ontario, and British Columbia, as well as the federal government.
[added for the web: recommendations on Internet voting from government consultations]

In addition, Quebec has a total moratorium on all forms of electronic voting, including online voting.

As well there is the recent expert study of the PEI referendum, which also recommended against online voting.

Just to give you a flavour of these kinds of expert assessments, here’s what Toronto had to say in its analysis http://www.toronto.ca/legdocs/mmis/2016/ex/bgrd/backgroundfile-98545.pdf

The overwhelming consensus among computer security experts is that Internet voting is fundamentally insecure and cannot be safely implemented because of security vulnerabilities inherent in the architecture and organization of both the Internet and commonly used software/hardware:

  • Internet voting is extremely vulnerable to a wide range of cyber-attacks, and many of these are impossible to detect.
  • Internet voting poses extraordinary and unnecessary risks to election integrity, and even a small issue—were it even detectable—could completely undermine public trust.
  • Every jurisdiction whose Internet voting system has been thoroughly examined by security experts—including the long-running system in Estonia—has revealed major vulnerabilities that could allow the system to be hacked, to reverse election outcomes, or to selectively disenfranchise voters, all while going completely undetected.
  • Many jurisdictions that ran Internet voting pilots—including Washington, DC, France, and Norway—cancelled the projects due to security issues.

Should you have a future segment about online voting, I urge you to include computer science expertise.  Here is a list of contact information for experts specifically in the risks of online voting, including Canadian experts such as Dr. Simons and Dr. Essex:

[embedded list replaced with web link: Internet voting and computer security expertise]

END EMAIL

Comments about Orillia Internet voting

The City of Orillia has invited comments about its proposal for Internet voting in the 2018 Ontario municipal election.

The website is City of Orillia Voting Method – Public Comments and the deadline is Monday May 1, 2017 at 10am Eastern.

They have included a link to their staff report: Clerk’s Department Report CD 17-08 – Alternative Voting Method Options (PDF).

Below is my submission.

COMMENT

Dear Mayor and Council (c/o Janet Nyhof, Deputy Clerk):

I am writing in response to the request for comments about the recommended City of Orillia voting method.

http://orillia.ca/en/news/index.aspx?feedId=6f58f980-7799-42a7-9149-7b35d865e9ee&newsId=c90efff1-5ce5-4d2e-9ee5-40b300572e08

I recommend against using Internet voting.

I have reviewed the Clerk’s Department Report CD-17-08 2018 Municipal Election – Voting Method Options.

http://icreate4.esolutionsgroup.ca/230002_iCreate_NewsModule//Management/Attachment/Download/2f0783f2-adf9-4b98-acc5-53b09cfff307

I have the following concerns with this report, which does not cite computer science and computer security evidence:

* it appears to minimize the disadvantages

* it selectively reports on municipal adoption of Internet voting

* it does not provide a comprehensive analysis of the system-wide security and error risks

I agree with the following conclusions of the report, which are well-supported by social science evidence:

* Internet voting will not increase turnout, nor will it change the voter profile

I have provided additional detail in an appendix below.

Thank you,

Richard Akerman

Appendix

I would like to examine the disadvantages cited in more detail:
*System may be perceived as vulnerable to hackers

All systems are vulnerable to hackers.  This is not perception, this is reality.  This is the nature of computers.  Microsoft, with huge resources, nevertheless releases patches every single month for critical errors (vulnerabilities) in Windows and associated Microsoft software.  The situation is so bad that the Economist magazine recently did a cover story proclaiming “Why computers will never be safe”.
http://www.economist.com/news/leaders/21720279-incentives-software-firms-take-security-seriously-are-too-weak-how-manage

http://www.economist.com/news/science-and-technology/21720268-consequences-pile-up-things-are-starting-improve-computer-security

I want to emphasize that this is not just about e.g. foreign hackers attacking the voting server.  It’s about two significant issues: 1) all systems have errors (bugs), and require extensive examination in order to ensure that errors have been minimized 2) the entire voting system, which in the case of Internet voting means the voter’s personal home computer or computing device, must be secure in order for the vote to be secure

How many hundreds or thousands of insecure home computers might be involved with a municipal Internet vote?  We really have no way of knowing; it would require a survey of a representative sample of users.  The Internet voting vendors almost never mention this security aspect of the election.  We do know that very large numbers of computers are compromised worldwide, due to lack of technical expertise combined with challenges in downloading what may be very large patches, as well as due to older systems such as Windows XP no longer receiving security updates.

Just this month the US Department of Justice began dismantling a network (“botnet”) of compromised computers that numbered in the tens of thousands of machines.  That’s just one example, of many.

https://www.justice.gov/opa/pr/justice-department-announces-actions-dismantle-kelihos-botnet-0

Canadian government and corporate computers are hacked all the time.  Even Loblaw PC Plus points were hacked.

https://www.thestar.com/business/2017/02/20/loblaw-resets-all-pc-plus-passwords-after-breach-steals-member-points.html

Of course, decisionmaking is always about balancing risks versus benefits.  I can tell you that when computer security experts examine online voting, they basically universally find that the risks are too high.  See for example Scientific American from February 2016

https://www.scientificamerican.com/article/pogue-the-challenges-of-digital-voting/

and a consensus statement from US computer scientists advising against Internet voting

http://usacm.acm.org/evoting/category.cfm?cat=30&E-Voting – “At the present, paper-based systems provide the best available technology….”

* Voter authentication
* Unsupervised voting

The combination of unsupervised voting and the inability to conclusively authenticate individual voters raises a number of very significant democratic issues: 1) voter credentials can now be bought and sold 2) since voting is unsupervised, even legitimate voters can be coerced by their friends or family to vote a particular way

* Role of the candidates/scrutineers change

In fact, any meaningful role for candidates and scrutineers in examining the conduct of the election is gone.  Their scrutineer role hasn’t changed, it’s been eliminated.  The entire trust that used to be established by watching physical ballots being counted in public is replaced by a transfer of trust to the black box of a third-party, for-profit, Internet voting technology vendor.  There is nothing to examine, there is nothing to recount.  A vote count comes out of the computer that cannot be challenged or changed.

* a summary of other municipalities’ 2014 Voting Method and 2018 Proposed Voting Methods

Not cited in the list in the Orillia report are:

[Correction to email, should say] Not cited in the list in the Orillia report (or changed since the report was released) are:

* Kitchener – no Internet voting in 2014, no Internet voting in 2018

* Waterloo – no Internet voting in 2014, no Internet voting in 2018

* Guelph – advance Internet voting in 2014, no Internet voting in 2018 (following an extensive debate with over 200 submissions and over a dozen deputants)
* Toronto – no Internet voting in 2014, no Internet voting in 2018

* Ottawa – no Internet voting in 2014, no Internet voting in 2018

https://web-beta.archive.org/web/20140217203039/http://www.therecord.com/news-story/2617898-kitchener-rejects-internet-voting/

http://www.therecord.com/news-story/4236054-waterloo-rejects-online-voting-in-2014-municipal-election/

http://www.therecord.com/news-story/6980847-waterloo-council-rejects-internet-voting-for-2018/

https://www.guelphtoday.com/local-news/guelph-city-council-deletes-online-voting-for-2018-municipal-election-596779

https://www.thestar.com/news/city_hall/toronto2014election/2014/07/23/toronto_cancels_plan_to_allow_online_phone_voting_for_disabled_citizens_in_2014.html

http://www.toronto.ca/legdocs/mmis/2016/ex/bgrd/backgroundfile-98545.pdf

Toronto’s report states, in part:

Internet Voting

Fundamentally, the Internet was designed to share information, not to secure it. Though an increasing amount of daily commercial life—from shopping to banking—has moved online, Internet voting poses security challenges that are unique and, in their current state, insurmountable.

The overwhelming consensus among computer security experts is that Internet voting is fundamentally insecure and cannot be safely implemented because of security vulnerabilities inherent in the architecture and organization of both the Internet and commonly used software/hardware:

  • *  Internet voting is extremely vulnerable to a wide range of cyber-attacks, and many of these are impossible to detect.
  • *  Internet voting poses extraordinary and unnecessary risks to election integrity, and even a small issue—were it even detectable—could completely undermine public trust.
Lastly, I will look at the security aspect of the Orillia report:
* The implementation of an electronic voting solution must ensure that the process is secure, provides confidentiality of the individual voter and provides accurate and reliable results.
The above statement is correct.  However, the report then fails to cover all aspects of “the process” including the home computer.  Securing a central server without securing all of the home computers that connect to it is like protecting a single big tree in a forest and declaring the forest is totally secure from damage, ignoring the fact that many of the smaller trees in the forest could be cut down.

Similarly, the ability to truly, provably separate the identity of an individual voter from the vote they cast is not possible with a computer-based systems.  Computers are designed to track changes made.  It is extraordinarily difficult to make a system that can simultaneously determine that an individual has permission to vote, while then not recording somewhere in the system which user cast which vote.  Lastly, accurate and reliable results require strong evidence.  The computer can’t be inspected in any meaningful way; it’s a black box.  The municipality is transferring the entire trust in the election from a process of open casting and counting of paper ballots to a closed system that exists entirely within the computer and is controlled entirely by the third-party voting technology vendor.

If Orillia nevertheless decides to proceed with Internet voting and is truly confident in the security of its system, I urge you in the spirit of open government to conduct an open, public test of the full online voting system well in advance of the election, with permission for anyone around the world to remotely examine the system in detail for security vulnerabilities and to publicly report their findings.  There is no security in obscurity.
ENDCOMMENT

Comments about Guelph Internet voting

A letter submitted for the April 24, 2017 Guelph Council meeting, agenda item COW – CS – 2017.04 2018 Municipal Election: Methods of Voting.

COMMENT

Dear Mayor and Councillors:

The Internet threat environment has changed since 2013 when Guelph did its initial analysis of online voting.  Since then, Ontario, British Columbia, New Brunswick and the federal government have all released reports on online voting, and all have recommended against it at the provincial or national level.  Threats have gotten worse while security technology has not advanced at the same pace, to the extent that the Economist magazine just did a cover story proclaiming “Why computers will never be safe”.

http://www.economist.com/news/leaders/21720279-incentives-software-firms-take-security-seriously-are-too-weak-how-manage

http://www.economist.com/news/science-and-technology/21720268-consequences-pile-up-things-are-starting-improve-computer-security

Of course, decisionmaking is always about balancing risks versus benefits.  I can tell you that when computer security experts examine online voting, they basically universally find that the risks are too high.  See for example Scientific American from February 2016

https://www.scientificamerican.com/article/pogue-the-challenges-of-digital-voting/

If you do choose to continue with online voting, I urge you in the spirit of open government to conduct an open, public test of the full online voting system well in advance of the election, with permission for anyone around the world to remotely examine the system in detail for security vulnerabilities and to publicly report their findings.  There is no security in obscurity.

In staff report CHR – 2013 – 30 “2014 Municipal Election:  Methods of Voting”, principles for a municipal election are outlined.  Here is my evaluation of online voting against three of those principles:

  • the secrecy and confidentiality of the voting process is paramount;

Use of a third-party vendor for online voting compromises voting secrecy and confidentiality.  Even if the voting systems were developed and hosted in-house, the information necessary to cast a vote (the voter identification) is extremely difficult to completely separate inside the computer from the vote cast.  Additionally, unsupervised remote voting opens the potential for anyone to view a vote that is being cast (and indeed to coerce the vote, or to pay someone for their voting credentials).

  • the integrity of the process shall be maintained throughout the election;
  • there is to be certainty that the results of the election reflect the votes cast;

The chain-of-custody for an Internet ballot extends from the personal computing device, across the Internet, and through to the voting servers.  There are potential threats to the integrity of the process at every stage, from compromised (“hacked”) home computers, through to denial-of-service attacks and potential vote alteration or addition of votes (“ballot stuffing”) at the server end.  Or the computer code could simply have errors in it (all computer programs have errors).  There is no way to observe the entire process; it is a black box.  Therefore there can be no real certainty that the results of the election reflect the votes cast.

Additional information supporting the above statements is available in an appendix to this email.

Thank you,

Richard Akerman

Appendix

Changes since 2013 report

The primary report is the July 16, 2013 “An Analysis of Alternative Voting Methods“.  http://guelph.ca/wp-content/uploads/AnalysisOfAlternativeVotingMethods.pdf

Both Elections Canada and Elections Ontario have been actively exploring the prospect of implementing an online voting channel for a number of years and have since allocated resources to undertake a detailed investigation and feasibility review of doing so.

As of 2017, neither Elections Canada nor Elections Ontario has implemented online voting, nor are they actively exploring the possibility.

A consultation by the Canadian Parliamentary Special Committee on Electoral Reform recommended against online voting[1], and the Canadian government accepted the recommendation.[2]  On March 2, 2017 Elections Canada released an RFP which included the statement “Elections Canada has no plans to introduce electronic casting or counting of votes. Polling places will continue using paper ballots, marked and counted by hand.”[3]

Ontario’s Alternative Voting Technologies Report, released June 2013, recommends against online voting and there is no online voting in provincial elections in Ontario.[4]

[1] December 2016 – Strengthening Democracy in Canada : Principles, Process and Public Engagement for Electoral Reform – http://www.parl.gc.ca/HousePublications/Publication.aspx?Language=e&Mode=1&Parl=42&Ses=1&DocId=8655791&File=291#87 – “Recommendation 4: The Committee recommends that online voting not be implemented at this time.”

[2] April 2017 – Government Response to Report Strengthening Democracy in Canada : Principles, Process and Public Engagement for Electoral Reform – http://www.parl.gc.ca/HousePublications/Publication.aspx?Language=e&Mode=1&Parl=42&Ses=1&DocId=8853290 – “The Government accepts this recommendation.  We will not implement online voting at this time.”

[3] March 2017 – Elections Canada RFP – https://buyandsell.gc.ca/cds/public/2017/03/02/967d72343b6234a0571287c709b7ae1f/ecrs-rfp-16-0167_-_anpp_-_ec-vsm-pppe_-_bilingual.pdf – “Elections Canada has no plans to introduce electronic casting or counting of votes. Polling places will continue using paper ballots, marked and counted by hand.”

[4] June 2013 – Alternative Voting Technologies Report – Ontario Chief Electoral Officer’s Submission to the Legislative Assembly (PDF) – http://www.elections.on.ca/content/dam/NGW/sitecontent/2014/reports/Alternative%20Voting%20Technologies%20Report%20%282012%29.pdf – “At this point, we do not have a viable method of network voting that meets our criteria and protects the integrity of the electoral process.”

Additional Context

In fact, there is no provincial online voting anywhere in Canada, and there is only municipal online voting in Nova Scotia and Ontario.  Reports from Nova Scotia [5], New Brunswick [6] and British Columbia [7] have all recommended against provincial online voting.  Quebec has had a moratorium on provincial online voting since investigating problems with its electronic voting machines in 2005.[8]

[5] Elections Nova Scotia: Annual Report of the Chief Electoral Officer April 1, 2012 – March 31, 2013 (PDF) – https://electionsnovascotia.ca/sites/default/files/ENS%20AR%20Web%202012_13.pdf – specifically pp. 14-16 Appendix I: Internet and Telephone Voting in Nova Scotia.

[6] March 2017 – A pathway to an inclusive democracy (PDF) – http://www2.gnb.ca/content/dam/gnb/Departments/eco-bce/Consultations/PDF/PathwayToAnInclusiveDemocracy.pdf – specifically pp. 20-21 E-voting

[7] February 2014 – Independent Panel on Internet Voting: Recommendations Report to the Legislative Assembly of British Columbia (PDF) – http://www.internetvotingpanel.ca/docs/recommendations-report.pdf

[8] October 2006 – Electronic voting – Le Directeur général des élections du Québec (DGEQ)http://www.electionsquebec.qc.ca/english/municipal/media/electronic-voting.php

There is a consensus statement from US computer scientists advising against Internet voting.[9]

[9] http://usacm.acm.org/evoting/category.cfm?cat=30&E-Voting – “At the present, paper-based systems provide the best available technology….”

END COMMENT

Here are additional documents I tracked down as part of writing the above comment:

2014 Election Cycle

July 16, 2013 — An Analysis of Alternative Voting Methods (PDF) — by Blair Labelle, City Clerk

July 16, 2013 — Staff Report CHR – 2013 – 30 — 2014 Municipal Election:  Methods of Voting (PDF) — Prepared and Recommended by Blair Labelle, City Clerk

June 2, 2014 (Amended September 15, 2014) — Procedures for Voting and Vote  Counting Equipment for the 2014  Municipal Election (PDF)

2018 Election Cycle

September 6, 2016 — Staff Report CS-2016-73 –Municipal  Election  Modernization,  Service  Expansion  and  Ranked  Ballot  Election (PDF; pp. 255-289) – Prepared by Jennifer Slater, Approved by Stephen O’Brien, City Clerk

April 3, 2017 — 2018 Municipal Election Voting Methods  (PDF; pp. 99-109) – by Stephen O’Brien, City Clerk and Returning Officer

April 3, 2017 — Staff Report CS  -2017.51 — 2018  Municipal Election: Methods of Voting (PDF, pp. 110-115) — Prepared by Tina Agnello, Deputy City Clerk; Approved by Stephen O’Brien, City Clerk

Other Reports Cited by Guelph

June 23, 2005 — Risk Analysis of Traditional, Internet, and other Types of Voting  Alternatives for Town of Markham — by Harry M. Kim

Internet voting filter bubbles

From a Canadian perspective, there are basically three groups that examine Internet voting:

  • social scientists that examine people’s attitudes, feelings and behaviours associated with Internet voting
  • staff at municipalities that have chosen Internet voting and see it as just another digital service to offer, and the vendors they procure Internet voting from
  • computer scientists that examine Internet voting from the perspective of requirements and threat risk assessment

These three communities basically don’t interact.  The social scientists cite one another.  The municipal staff and vendors reference other municipalities and vendor analysis.  The computer scientists cite one another.  This gives three basically different filtered world views.

  • The social science perspective indicates some level of popularity of Internet voting either conceptually or in practice, and associated levels of satisfaction.  It also documents the expectations of turnout (high) and the reality of turnout (no change).  Additionally and unfortunately it sometimes reports on perceptions of security, which are meaningless.  It doesn’t matter how safe you feel jumping off a cliff, the same thing will still happen at the bottom when you encounter reality.
  • At best, municipalities approach Internet voting from a digital services perspective, and do the standard things one does for a transactional service, including security buzzwords like firewalls and encryption, obtaining vendor assurances, and contracting confidential security assessments.  One of their primary sources of technical information is the vendors themselves.  Two issues are that Internet voting is not a standard transactional service, and that vendors have literally millions of dollars in sales at stake.
  • Computer scientists look at the requirements for voting systems, e.g. the Computer Technologists’ Statement on Internet Voting.  When they evaluate real Internet voting systems against those requirements, they always find that current systems cannot meet the requirements.  In order to provide the best security assessment of the real systems, they seek the ability to conduct truly independent and public security assessments of the technology being used (this is almost always denied).  They also assess the full spectrum of potential risks against a system.  That includes technical risks and non-technical risks.  An often overlooked risk is the risk of coercion when voting no longer takes place in private in a supervised location (the polling place).  They also examine techniques used by very sophisticated attackers, as well as very basic but successful techniques (e.g. phishing) and the risk of insider attacks.  For a service where there is no way for the end user to verify their intended result (due to the combination of secret ballot and coercion avoidance), the inevitable conclusion is that there are no adequate risk mitigation measures.

So the answer you get about Internet voting depends on which community you ask.  If you ask social scientists, it’s popular.  If you ask municipalities that have implemented it, they assure you that everything is going fine.  If you ask computer scientists, they will tell you that it is not a regular transactional digital service, and that using Internet voting introduces catastrophic risk.

You can get a pretty easy indication of which community is talking by looking for language clues.  If the discussion is around popularity, it’s probably a social science analysis.  If the discussion is around firewalls and encryption and security assurances, it’s probably municipalities.  If the discussion is around risks, it’s probably computer scientists.

It may seem odd that computer scientists would speak in less technical language, but that’s because specific technical measures are much less important than a system-wide requirements and threat analysis, particularly in an environment including home computing devices and non-technical online service users.

The result of having these different communities means that basically only consultations that include the computer science community recommend against voting using computers, which may be an unexpected outcome.  But it is the outcome of any serious consultation, including e.g. New Brunswick, Nova Scotia, Quebec, Ontario, British Columbia, the Government of Canada, and the Government of Australia.

The Ontario municipal association AMCTO is holding a 2017 event for municipal clerks, featuring a session about the security of Internet voting.  The presenters will be

  • a clerk from a municipality that has approved Internet voting
  • an Internet voting vendor representative
  • a second Internet voting vendor representative

I leave it to you to conclude which filter bubble will be in operation.

 

Province of Ontario Internet voting

(This post is about provincial-level voting, not the municipal elections covered in the Municipal Elections Act.)

Ontario examined provincial online voting from fall 2010 to fall 2012, with the resulting three years of investigation being published as a report on “alternative voting technologies” in June 2013.  The report is in two parts, consisting of the main report and a separate Appendix 5 which is a 231-page business case about online voting.

The report is currently available on the Elections Ontario page Reports and Publications, under Recommendations

The report concludes that Internet voting, which it calls “network voting”, is not ready for use because it does not meet the necessary requirements and needed level of integrity.

Elections need to be administered with proven, well-tested, and secure processes. Innovations must be tested in a methodical and principled manner, so that the benefits and risks of the innovation can be objectively assessed, without endangering the trust that electors have in the integrity of the process and the validity of the results.

At this point, we do not have a viable method of network voting that meets our criteria and protects the integrity of the electoral process.

The report sets out very clear requirements that a voting system needs to meet

Our implementation criteria are:

  • Accessibility:
    The voting process is equally accessible to all eligible voters, including voters with disabilities. The voting process will be performed by the voter without requiring any assistance for making their selections.
  • Individual verifiability:
    The voting process will provide means for the voter to verify that their vote has been properly deposited inside the virtual ballot box.
  • One vote per voter:
    Only one vote per voter is counted for obtaining the election results. This will be fulfilled even in the case where the voter is allowed to cast their vote on multiple occasions (in some systems, people can cast their vote multiple times, with only the last one being counted).
  • Voter authentication and authorization:
    The electoral process will ensure that before allowing a voter to cast a vote, that the identity of the voter is the same as claimed, and that the elector is eligible to vote.
  • Only count votes from valid voters:
    The electoral process shall ensure that the votes used in the counting process are the ones cast by valid eligible voters.
  • Voter privacy:
    The voting process will prevent at any stage of the election the ability to connect a voter and the ballots cast by the voter.
  • Results validation:
    The voting process will provide means for verifying if the results clearly represent the intention of the voters that participated in the voting process.
  • Service availability:
    The election process and any of its critical components (e.g., voters list information, cast votes, voting channel, etc.) will be available as required to voters, election managers, observers or any other actor involved in the process.

This language calls to mind the requirements in the Computer Technologists’ Statement on Internet Voting.

The report identifies a number of risks that are specific to Internet voting, including digital authentication, digital denial of service, and lack of transparency.

When developing our implementation criteria, we ensured that they addressed the following risks and limitations:

  • Security concerns – security breaches that could jeopardize the integrity of the voting process.vi
  • Secure digital authentication mechanisms are not available.vii
  • The possibility of denial of service – whether deliberate or inadvertent.viii
  • Lack of transparency, including for a vote audit or for recount purposes, due to the lack of a paper trail.
  • The digital divide – some electors or subgroups of electors do not have equal access to the internet.
  • Network voting is costly – particularly when supplementing existing voting channels.ix

The end notes are
viFor example, Vaughan, Huntsville, Edmonton. Edmonton recently completed a trial implementation of internet voting, where electors were invited to vote online for their favourite colour of jellybean. On the basis of this trial, a citizen panel recommended to city council that they proceed with plans for internet voting in the upcoming election for the city of Edmonton. However, the city council rejected this recommendation, citing concerns regarding security.
viiFor example, Vaughan; concerns raised by McAfee
viiiVaughan and others citing the denial-of-service experience faced by the NDP during its 2012 leadership election.
ixFor example, Vaughan; U.S. military

See the references mentioned in the end notes below in the copy of Appendix 3: Selected Works Consulted.

The report continues by examining the use of Internet voting in Ontario municipalities.

In 2010, 44 of 444 Ontario municipalities offered network voting for their municipal elections.

Turnout does not increase when online voting is offered.

The academic literature supports Markham’s experience in suggesting that there are inconclusive results about the impact of network voting on voter turnout. Voter turnout is influenced by a number of factors, many which are difficult to quantify. These include, for example, the competitiveness of the election, candidate campaign mobilization efforts, issues at stake, voter fatigue, and the weather, among other elements that may vary from one election to the next in the same jurisdiction.

The technology, introduced with claims of efficiency, sometimes actually introduces delays and increases risk.

…a total of 33 municipalities experienced system delays on election day when servers became overloaded due to hardware problems and higher-than-expected levels of access by election candidates. Electors were delayed in casting their votes during this time. In some cases, voting hours were extended by an hour in order to compensate for the lost time; at least one municipality extended voting for a full day.

The hardware server error experienced by the vendor raises concerns regarding reliance on vendors to provide critical election related services such as election results accumulation and tabulation. An overreliance on vendors and technology can heighten risks to the electoral process if appropriate mitigation strategies are not in place.

When Ontario examined the municipal experience and compared the technology available with the requirements (listed earlier), they concluded

If we return to public expectations that a network voting solution would be more convenient, just as secure and less cumbersome than our current processes, the experiences of many Ontario municipalities indicate that the benefits of network voting may not be as great as predicted.

The report then looks at Nova Scotia

In 2008, four municipalities in Nova Scotia offered internet voting in their municipal elections. By 2012, that number had grown, and 15 municipalities offered internet voting.

and at Alberta

After the City of Edmonton withdrew its support in February 2013, Alberta withdrew its funding for other internet voting pilots and decided not to proceed with a regulatory change that would have permitted pilots in municipal elections.

Ontario’s conclusion based on federal and provincial evidence:

Most jurisdictions have concerns with the security of voting over the internet as technology and legislative frameworks have not yet evolved to fully address integrity concerns.

When examining the US experience, Ontario finds particular importance in independent public audits:

First, we will need to extensively test any proposed solution to ensure that it meets our implementation criteria. When conducting these tests, we should consider the value of offering independent, public review and open testing to ensure that Ontarians can be satisfied that we have resolved any potential concerns regarding security, privacy, authentication, and verification.

The report then turns to the 2003 and 2007 Internet voting trials in the UK. For the large trial in 2003 it finds:

Overall, although electors enjoyed the convenience of network voting, it had a very minimal affect on turnout. While some jurisdictions experienced voter turnout increases up to 5 per cent, other jurisdictions registered a decline in voter turnout of up to 8 per cent.xxviii

For 2007, the results were even worse:

In a review of the pilots, the United Kingdom Electoral Commission found there was insufficient time available to implement and plan the pilots, and the quality assurance and testing was undertaken too late and lacked sufficient depth. The United Kingdom Electoral Commission stated that “the level of implementation and security risk involved [with the pilots] was significant and unacceptable”.xxx

The end notes are
xxviiiUnited Kingdom Electoral Commission. 2005. Securing the Vote.
xxxUnited Kingdom Electoral Commission. 2007. “Key issues and conclusions: May 2007 electoral pilot schemes.”

See the references mentioned in the end notes in the copy of Appendix 3: Selected Works Consulted.

All that remains of the Securing the Vote report on the UK Electoral Commission site is the page Securing the vote – detailed proposals for electoral change announced.  The actual document itself does not show up in search.  The only location where a copy could be found was in a document repository from The Guardian newspaper: http://image.guardian.co.uk/sys-files/Politics/documents/2005/05/20/eleccommission.pdf

The UK did extensive reporting on the 2007 pilots, the website was http://www.electoralcommission.org.uk/elections/pilots/May2007 but it is no longer online.  There is a copy in the Internet Archive.

Although there is no longer an organising page on the Electoral Commission page, some of the reports from 2007 are still available from them, as well as being copied in the Internet Archive.

There are two considerations to highlight from the UK Electronic Voting Summary:

  • New voting methods should be rolled out only once their security and reliability have been fully tested and proven and they can command wide public confidence.
  • The necessary costs for secure and reliable systems must be able to be reasonably met by the public purse.

I will highlight only one item from the Technical Assessments of the e-voting Pilots, item 3.4.4 from Assessment of the pilot process – Quality management:

While there were variations between the different pilots, in all cases the quality and testing arrangements appeared to be inadequate. It is difficult to tell whether this was purely because of lack of time, or whether some of the suppliers were not used to implementing effective quality processes. Significant quality management failings include:
a. Lack of detailed design documentation;
b. Lack of evidence of design or code reviews or other mechanisms for ensuring that the solutions operate correctly and do not include deliberate or accidental security flaws;
c. Lack of evidence of effective configuration management.

This kind of haphazard voting software development has been shockingly common, e.g. for US voting machines as well.

Returning to the Province of Ontario report, moving on to conclusions, the key point that Internet voting does not increase turnout is again emphasized

As we discussed earlier in this report, often people assume that introducing a new channel of voting such as network voting will translate to an increase in voter turnout. Our research supports the findings of the City of Edmonton’s Issues Guide on Internet Voting which states that, at present, there is

“no conclusive evidence that shows introducing Internet voting will have a positive impact on turnout. Internet voting will not fix the problem of voter turnout decline completely –it is not a solution to the social and political causes of non-voting. ….”xxxiii

The end note is

xxxiiiGoodman Issues Guide: Internet Voting. p. 20.

This is a reference to Edmonton’s Issues Guide: Internet Voting by Nicole Goodman, November 2012.  Currently available from the City of Edmonton, and also in the Internet Archive.

To quote the Issues Guide:

The rationale(s) for not adopting Internet voting or for being more cautious in its consideration include topics such as security, notably threats of hacking and election fraud and problems associated with voter authentication. Privacy/ ballot secrecy is also cited as a worry. Additionally, there is uncertainty surrounding an effective evaluation process such as the ability to audit the election that may include a re-count or some type of ballot verification.

See the references mentioned in the end notes below in the copy of Appendix 3: Selected Works Consulted.

Moving to Appendix 5: Network Voting Business Case

Alternative Voting Technologies Report – Appendix 5 Network Voting Business Case (2012).pdfcopy in Internet Archive

I will quote only the section on chain of trust, just to illustrate the complexity of properly building an Internet voting system, followed with some commentary:

If the implementation of the network voting system does not both support the Chain of Trust and provide auditable evidence, then the process is open to question. This Chain of Trust is a compilation of all the following measures:

  1. Source code audit to verify that the code will do only what it is intended to do.
  2. Digital signature of the audited source code to protect its authenticity and integrity.
  3. Trusted build of the executable code in front of auditors (based on audited source code).
  4. Signature of the executable code to protect its authenticity and integrity.
  5. Deployment of the executable software in a clean system. Logical sealing of the system to detect any later additions.
  6. Logic and accuracy testing of the voting system to validate it works properly.
  7. Continuous audit of the voting system during the election, through review and validation of logs and other data. The logs must be protected from external manipulations by using cryptographic measures.
  8. Post-election audit that validates that the system behaved correctly by reviewing the logical seals and the protected logs.
  9. Individual voter verification that proves their ballots were used in the final tally (by using special receipts).

A strong emphasis must be placed on audit. Independent auditors must be able to review the source code, verify the build and deployment, audit system logs during the election event, and finally to review both the counting process and the results.

So this sounds reasonable, if challenging, time-consuming, and expensive, plus requiring a great deal of specialised expertise (which means excluding most oversight by ordinary citizens). But when examined from a computer science perspective, it might as well be called “the insurmountable mountain chain of trust“, because each step indicated above is a difficult problem in and of itself, and some of them are active areas of research because they are currently unsolved.  Doing a meaningful source code audit for any non-trivial source code is incredibly challenging.  Making a “trusted build” is almost impossible, because literally every software component in the build needs to be somehow trusted.  Needing trusted software components means a logical loop that can’t be satisfied: in order to build trusted software, you need a trusted compiler, but in order to build a trusted compiler, you need a trusted compiler.  Similarly, the concept of “logical seals” sounds great, but no such thing exists.  You might as well say “magic lock”.  This is just one of the reasons why computer scientists will tell you that secure Internet voting with trusted software is a problem that isn’t currently solved.

Finally, here are the works cited by the main report. Where necessary, I have added Internet Archive links for unavailable works.

APPENDIX 3 – SELECTED WORKS CONSULTED

Toronto Internet voting

UPDATE 2016-12-02: On December 1, 2016 Toronto Executive Committee adopted report EX20.5, which includes a recommendation against Internet voting. The report will next be considered by Toronto City Council on December 13, 2016. ENDUPDATE

To its credit, Toronto had computer scientists Aleksander Essex and Jeremy Clark examine available online voting systems in 2014 (to the extent that one can examine a system primarily from an architecture perspective, without being able to actively hack in).  The resulting report concluded that none of the systems were adequate for the requirements.

https://www.verifiedvoting.org/wp-content/uploads/2014/09/Canada-2014-01543-security-report.pdf

As part of a regular process, Ontario municipalities are now individually reviewing their voting processes, with a particular emphasis on whether to use ranked ballots and Internet voting.

I am told that Toronto’s 2016 staff report on the topic will shortly be available as part of Executive Committee meeting 20 on December 1, 2016, which means it should be linked at

http://app.toronto.ca/tmmis/decisionBodyProfile.do?function=doPrepare&meetingId=10995#Meeting-2016.EX20

UPDATE 2016-11-24: The agenda for the December 1, 2016 Executive Committee meeting has been released, including item EX20.5 – Changes to the Municipal Elections Act and Related Matters Impacting the 2018 Election.  It maintains the City Clerk’s recommendation against Internet voting.

This report also advises that there have been insufficient advances in Internet security to accept the risks of implementing Internet voting for the 2018 general election. The challenges identified by both City staff and security experts in 2014 remain unresolved. Internet voting continues to be vulnerable to security threats and attacks while raising concerns about secrecy of the vote, verifiability and overall election integrity.

The report itself is available, consisting of a main report and multiple appendices, of which I will highlight:

From the main report I will highlight just part of the excellent Part B section 3. Internet Voting

3. Internet Voting

Fundamentally, the Internet was designed to share information, not to secure it. Though an increasing amount of daily commercial life—from shopping to banking—has moved online, Internet voting poses security challenges that are unique and, in their current state, insurmountable.

The overwhelming consensus among computer security experts is that Internet voting is fundamentally insecure and cannot be safely implemented because of security vulnerabilities inherent in the architecture and organization of both the Internet and commonly used software/hardware:

  • Internet voting is extremely vulnerable to a wide range of cyber-attacks, and many of these are impossible to detect.
  • Internet voting poses extraordinary and unnecessary risks to election integrity, and even a small issue—were it even detectable—could completely undermine public trust.
  • Every jurisdiction whose Internet voting system has been thoroughly examined by security experts—including the long-running system in Estonia—has revealed major vulnerabilities that could allow the system to be hacked, to reverse election outcomes, or to selectively disenfranchise voters, all while going completely undetected.
  • Many jurisdictions that ran Internet voting pilots—including Washington, DC, France, and Norway—cancelled the projects due to security issues.

The recommendations from the City Clerk will first be considered by Executive Committee December 1, 2016 and then in the normal course of events will proceed to Council for final approval December 13, 2016.

ENDUPDATE

UPDATE 2016-11-25:

The main report cites the following sources about Internet voting

ENDUPDATE

Sidebar:

Note that Internet voting is used by a substantial number (I believe 97) of municipalities in Ontario, for which

  • they are small municipalities (e.g. a few tens of thousands of people)
  • they have limited in-house IT capacity and expertise
  • they have not conducted any public computer scientist review of the systems (unlike Toronto)
  • they are all using private, third-party, for-profit companies as the Internet voting providers (i.e. they procure Internet voting, as if it were any other kind of customer service)