UPDATE 2016-12-02: On December 1, 2016 Toronto Executive Committee adopted report EX20.5, which includes a recommendation against Internet voting. The report will next be considered by Toronto City Council on December 13, 2016. ENDUPDATE
To its credit, Toronto had computer scientists Aleksander Essex and Jeremy Clark examine available online voting systems in 2014 (to the extent that one can examine a system primarily from an architecture perspective, without being able to actively hack in). The resulting report concluded that none of the systems were adequate for the requirements.
As part of a regular process, Ontario municipalities are now individually reviewing their voting processes, with a particular emphasis on whether to use ranked ballots and Internet voting.
I am told that Toronto’s 2016 staff report on the topic will shortly be available as part of Executive Committee meeting 20 on December 1, 2016, which means it should be linked at
UPDATE 2016-11-24: The agenda for the December 1, 2016 Executive Committee meeting has been released, including item EX20.5 – Changes to the Municipal Elections Act and Related Matters Impacting the 2018 Election. It maintains the City Clerk’s recommendation against Internet voting.
This report also advises that there have been insufficient advances in Internet security to accept the risks of implementing Internet voting for the 2018 general election. The challenges identified by both City staff and security experts in 2014 remain unresolved. Internet voting continues to be vulnerable to security threats and attacks while raising concerns about secrecy of the vote, verifiability and overall election integrity.
The report itself is available, consisting of a main report and multiple appendices, of which I will highlight:
From the main report I will highlight just part of the excellent Part B section 3. Internet Voting
3. Internet Voting
Fundamentally, the Internet was designed to share information, not to secure it. Though an increasing amount of daily commercial life—from shopping to banking—has moved online, Internet voting poses security challenges that are unique and, in their current state, insurmountable.
The overwhelming consensus among computer security experts is that Internet voting is fundamentally insecure and cannot be safely implemented because of security vulnerabilities inherent in the architecture and organization of both the Internet and commonly used software/hardware:
- Internet voting is extremely vulnerable to a wide range of cyber-attacks, and many of these are impossible to detect.
- Internet voting poses extraordinary and unnecessary risks to election integrity, and even a small issue—were it even detectable—could completely undermine public trust.
- Every jurisdiction whose Internet voting system has been thoroughly examined by security experts—including the long-running system in Estonia—has revealed major vulnerabilities that could allow the system to be hacked, to reverse election outcomes, or to selectively disenfranchise voters, all while going completely undetected.
- Many jurisdictions that ran Internet voting pilots—including Washington, DC, France, and Norway—cancelled the projects due to security issues.
The recommendations from the City Clerk will first be considered by Executive Committee December 1, 2016 and then in the normal course of events will proceed to Council for final approval December 13, 2016.
The main report cites the following sources about Internet voting
Note that Internet voting is used by a substantial number (I believe 97) of municipalities in Ontario, for which
- they are small municipalities (e.g. a few tens of thousands of people)
- they have limited in-house IT capacity and expertise
- they have not conducted any public computer scientist review of the systems (unlike Toronto)
- they are all using private, third-party, for-profit companies as the Internet voting providers (i.e. they procure Internet voting, as if it were any other kind of customer service)