Tag: UK

Remote voting in the UK House of Commons – Remote Divisions become reality

On May 12, 2020 the UK House of Commons conducted its first remote Division (remote vote).

UK Parliamentary Business – News – MPs cast first ever remote votes in Commons Chamber
The vote was conducted through MemberHub, the UK Parliament’s member website, which has Microsoft authentication.  Multi-factor authentication (MFA) was used to protect the authentication for the remote voting (the Internet voting).

There is some background on the development of the system in a Wired UK article by Chris Stokel-Walker: Inside the troubled, glitchy birth of parliament’s online voting app

Messaging about the voting system, which piggybacks on existing parliamentary IT systems, through the MPs MemberHub application, hasn’t been enormously clear. …

“We were asked to start looking into it just before Easter weekend,” says Matt Stutely, of Parliament Digital Services, who has been developing the voting service. Stutley dug out what he calls “a dusty chest of war plans we have in case we were ever asked to implement [online voting]”.

UPDATE 2020-05-14: Matt Stutely, the Head of Business Systems Development for the Parliamentary Digital Service, has written a blog post about the process of developing this service in the incredibly tight timeline of four weeks.

MPs make history with remote voting – the story of how it happened

In early April 2020, we were asked by the House of Commons to build a remote voting application for Members in just four weeks.

He indicates that making a service for remote voting (Internet voting) for the House of Lords will be next.

END UPDATE

UPDATE 2020-05-13: On May 6, 2020 the Procedure Committee wrote to the Speaker about the remote voting system.  The correspondence system has the full letter (PDF).

Members who by their actions facilitate a non-Member to cast a vote in a division of the House are very likely to be found to have committed a contempt of the House and to have breached the Code of Conduct, and can expect to be punished accordingly.

Call for Evidence

The Procedure Committee is conducting a Call for Evidence about all aspects of changed procedures during Coronavirus restrictions.  The call ends 3 June 2020.

Full Report

On May 8, 2020 the Procedure Committee issued a full report regarding remote voting in divisions.

This report notes:

The integrity of the system depends on Members. The remote voting system is not as secure as a system where a Member must vote in a division lobby in person.

and the Rt Hon Karen Bradley MP, Chair of the Procedure Committee, said

The present remote voting system was developed at high speed as a temporary measure for use during the pandemic.

For more information:

There is some technical detail in the full report, although at a very high level.  See Technical aspects of the remote voting system on pages 11-16 of the PDF above (items 23 through 51).

24. System security is delivered by the use of MemberHub, which uses single sign-on and multifactor authentication. All data is encrypted and sent over a secure connection, and voting records are stored in both MemberHub and the existing electronic divisions system. The bicameral Information Authority has issued a decision statement confirming it is content with the information security of the remote voting system, taking account of advice it received from the National Cyber Security Centre. The Speaker has been informed of the Information Authority’s decision.

28. The existing arrangements for divisions in person through the lobbies have particularly secure authentication arrangements which may be evident but are worth repeating here. To gain access to a voting lobby a Member must first gain access to a secure area of the estate using a security pass with a photo, and must pass a number of security staff and doorkeepers. In order to vote successfully, a Member who has taken his or her seat in the House25 must pass through a lobby containing several other Members and typically actively patrolled by party whips, and must then give a name to a division clerk and pass out of the lobby between two tellers.

29. This high level of authentication is not replicated in the remote voting system over MemberHub. …

30. The Committee’s opinion on the suitability of the remote voting system over MemberHub is given on the basis that the system is designed for temporary use during the COVID-19 pandemic and has not been designed for permanent use to replace the existing arrangements for physical divisions.

END UPDATE

Remote Division

Before the remote Division, the Speaker made a Statement, including:

I ask all Members to pay careful attention to what the Procedure Committee says about the integrity of the system. As the Committee states, any attempt to allow anyone who is not a Member to vote is likely to be a serious breach of privilege.

The UK House of Commons and UK Parliament Twitter feeds shared images:

Remote Division was called.

The results are in Hansard and can be viewed in detail at https://votes.parliament.uk/Votes/Commons/Division/783

More detail about the system is expected to be forthcoming in a blog post by the UK Parliamentary Digital Service this week.

Parliamentary votes are different from votes in a general election in at least three major ways:

  1. Votes can be coerced (in fact the role of the Whip is basically to enforce party direction on how to vote)
  2. Votes are not anonymous
  3. Votes are not secret

That being said, there are still lots of considerations for remote voting and technology voting, including concerns about the chain-of-custody, as multiple systems are most likely involved with the transmission and counting of the vote, concerns about auditability and concerns about security.

Auditability is a really challenging one.  Basically either each individual MP would have to check that their vote has been counted based on their intention, and even then, they’re no longer all standing in a room where they can see how other members voted (unlike the Canadian system where members stand one-by-one to be counted, in the UK MPs literally go to gather together by Aye and No votes in two physically separate locations, as described in the Voting section of MP’s Guide to Procedure).  Unlike counting people in a room, online it’s hard if not impossible to get a good sense of whether the vote count reflects the votes cast.

Security is also a challenging one given that computers can lie, with customized malware capable of showing one result (e.g. an Aye vote) on screen and sending another (e.g. a No vote) to the voting software.  In that light, it’s worth mentioning that the vote took place over the web on Patch Tuesday, with both Microsoft and Adobe releasing patches for vulnerabilities (“A remote attacker could exploit some of these vulnerabilities to take control of an affected system.”)

It will be interesting to learn what risks were identified and how they were mitigated.

There is also a larger question, deeply related to human intentionality, about the physical and psychological differences between literally standing to be counted or literally voting with your feet by moving to one room or another, versus tapping a square on a screen.

Remote voting (Internet voting) in a Parliamentary context is different from electronic voting in the chamber itself.  I covered some of the considerations for in-chamber voting in the Canadian context in my blog post Electronic voting in the Canadian House of Commons.

The First Incorrect Votes

In a remote Division on 13 May 2020, the Deputy Speaker reported

I have been informed that a small number of Members have inadvertently cast their votes, by electronic means, in the opposite way to the one in which they intended to vote. I am informed that their use of technology was not quite as good as they felt it ought to be and that a few Members have made a mistake. There is no provision under the current temporary system by which a Member can change their vote once it has been cast, but I am satisfied that even if a small number of votes had been cast in a different way it does not affect the result of the Division.

When such a situation is detected and affects the result of the Division, the Speaker has the authority to call a revote:

If problems in the conduct of a remote division which might have affected the result are reported after the result is announced, the Speaker may declare the division to be null and void and make arrangements for it to be re-run.

Auditability in a Whipped Parliamentary System

This also gets to a point about voting in a whipped Parliamentary system, which is that in the absence of a free vote, Whips are expecting votes along party lines, which makes it pretty easy to detect potential voting errors.  So there are definitely different auditability concerns than in a totally free vote; even if an individual member doesn’t notice they have voted opposite from their intent, their party is likely to notice very quickly.

SIDEBAR: This is another example of how Internet voting in a Parliamentary context differs from Internet voting in a general election.  In a general election, in order to preserve the secret ballot and to limit coercion, it must not be possible for anyone, including the elector, to show how they voted, or to verify how they voted.  Which makes one wonder e.g. how many Ontario and Nova Scotia municipal Internet votes might have been incorrectly cast, with no way to verify the intended result.  END SIDEBAR

News Story

In a story that I think is probably from PA Newswire, with headline including “amid remote voting errors”, it was reported

The division list showed 22 Conservative MPs supported the amendment, and in theory rebelling, although they included Chancellor Rishi Sunak – who made a mistake in the voting process rather than staging a shock bid to depart the Government.

A source close to Mr Sunak blamed “online teething problems with the system”, adding: “The Chancellor did not intentionally vote against the Government. He called the chief whip straight away to explain.”

As dozens of newspapers and news sites carried the wire story, you can pick your source, the first one that comes up in Google for me is the Express and Star.

Background

Remote voting (Internet voting) was authorised by the UK House of Commons Speaker on May 6, 2020 and was extended to May 20, 2020 by agreement of MPs.

The system was developed by the UK Parliamentary Digital Service.  Thanks to the Parliamentary Digital Service and Head of Business Systems Development Matt Stutely for responding to my questions on Twitter.  Thanks to the Procedure Committee, on Twitter @CommonsProcCom, for sharing links to its detailed report.

UK 2005 Securing the Vote report and 2007 e-voting trials

Nothing remains of the May 2005 Securing the Vote report on the UK Electoral Commission site.  There used to be a page Securing the vote – detailed proposals for electoral change announced but it is now gone.

The only location where a copy could be found was in a document repository from The Guardian newspaper: http://image.guardian.co.uk/sys-files/Politics/documents/2005/05/20/eleccommission.pdf

The UK did extensive reporting on the 2007 pilots, the website was http://www.electoralcommission.org.uk/elections/pilots/May2007 but it is no longer online. There is a copy in the Internet Archive.

Although there is no longer an organising page on the Electoral Commission page, some of the reports from 2007 are still available from them, as well as being copied in the Internet Archive.

There are two considerations to highlight from the UK Electronic Voting Summary:

  • New voting methods should be rolled out only once their security and reliability have been fully tested and proven and they can command wide public confidence.
  • The necessary costs for secure and reliable systems must be able to be reasonably met by the public purse.

I will highlight only one item from the Technical Assessments of the e-voting Pilots, item 3.4.4 from Assessment of the pilot process – Quality management:

While there were variations between the different pilots, in all cases the quality and testing arrangements appeared to be inadequate. It is difficult to tell whether this was purely because of lack of time, or whether some of the suppliers were not used to implementing effective quality processes. Significant quality management failings include:
a. Lack of detailed design documentation;
b. Lack of evidence of design or code reviews or other mechanisms for ensuring that the solutions operate correctly and do not include deliberate or accidental security flaws;
c. Lack of evidence of effective configuration management.

This kind of haphazard voting software development has been shockingly common, e.g. for US voting machines as well.

Note: The preceding is extracted from previous blog post Province of Ontario Internet voting.

UPDATE 2019-07-08: Just to bring all the pieces of the puzzle together, I will also point to a 2008 news release – Official report on internet voting pilot at Rushmoor elections published.

Other key findings in the report are that:

  • there was no impact on turnout, which actually decreased very slightly from 36 percent in 2006 to 35.2 per cent at these elections;
  • most internet voters (70 per cent) said they would have voted anyway;

Province of Ontario Internet voting

(This post is about provincial-level voting, not the municipal elections covered in the Municipal Elections Act.)

Ontario examined provincial online voting from fall 2010 to fall 2012, with the resulting three years of investigation being published as a report on “alternative voting technologies” in June 2013.  The report is in two parts, consisting of the main report and a separate Appendix 5 which is a 231-page business case about online voting.

The report is currently available on the Elections Ontario page Reports and Publications, under Recommendations Other publications and documentation

The report concludes that Internet voting, which it calls “network voting”, is not ready for use because it does not meet the necessary requirements and needed level of integrity.

Elections need to be administered with proven, well-tested, and secure processes. Innovations must be tested in a methodical and principled manner, so that the benefits and risks of the innovation can be objectively assessed, without endangering the trust that electors have in the integrity of the process and the validity of the results.

At this point, we do not have a viable method of network voting that meets our criteria and protects the integrity of the electoral process.

The report sets out very clear requirements that a voting system needs to meet

Our implementation criteria are:

  • Accessibility:
    The voting process is equally accessible to all eligible voters, including voters with disabilities. The voting process will be performed by the voter without requiring any assistance for making their selections.
  • Individual verifiability:
    The voting process will provide means for the voter to verify that their vote has been properly deposited inside the virtual ballot box.
  • One vote per voter:
    Only one vote per voter is counted for obtaining the election results. This will be fulfilled even in the case where the voter is allowed to cast their vote on multiple occasions (in some systems, people can cast their vote multiple times, with only the last one being counted).
  • Voter authentication and authorization:
    The electoral process will ensure that before allowing a voter to cast a vote, that the identity of the voter is the same as claimed, and that the elector is eligible to vote.
  • Only count votes from valid voters:
    The electoral process shall ensure that the votes used in the counting process are the ones cast by valid eligible voters.
  • Voter privacy:
    The voting process will prevent at any stage of the election the ability to connect a voter and the ballots cast by the voter.
  • Results validation:
    The voting process will provide means for verifying if the results clearly represent the intention of the voters that participated in the voting process.
  • Service availability:
    The election process and any of its critical components (e.g., voters list information, cast votes, voting channel, etc.) will be available as required to voters, election managers, observers or any other actor involved in the process.

This language calls to mind the requirements in the Computer Technologists’ Statement on Internet Voting.

The report identifies a number of risks that are specific to Internet voting, including digital authentication, digital denial of service, and lack of transparency.

When developing our implementation criteria, we ensured that they addressed the following risks and limitations:

  • Security concerns – security breaches that could jeopardize the integrity of the voting process.vi
  • Secure digital authentication mechanisms are not available.vii
  • The possibility of denial of service – whether deliberate or inadvertent.viii
  • Lack of transparency, including for a vote audit or for recount purposes, due to the lack of a paper trail.
  • The digital divide – some electors or subgroups of electors do not have equal access to the internet.
  • Network voting is costly – particularly when supplementing existing voting channels.ix

The end notes are
viFor example, Vaughan, Huntsville, Edmonton. Edmonton recently completed a trial implementation of internet voting, where electors were invited to vote online for their favourite colour of jellybean. On the basis of this trial, a citizen panel recommended to city council that they proceed with plans for internet voting in the upcoming election for the city of Edmonton. However, the city council rejected this recommendation, citing concerns regarding security.
viiFor example, Vaughan; concerns raised by McAfee
viiiVaughan and others citing the denial-of-service experience faced by the NDP during its 2012 leadership election.
ixFor example, Vaughan; U.S. military

See the references mentioned in the end notes below in the copy of Appendix 3: Selected Works Consulted.

The report continues by examining the use of Internet voting in Ontario municipalities.

In 2010, 44 of 444 Ontario municipalities offered network voting for their municipal elections.

Turnout does not increase when online voting is offered.

The academic literature supports Markham’s experience in suggesting that there are inconclusive results about the impact of network voting on voter turnout. Voter turnout is influenced by a number of factors, many which are difficult to quantify. These include, for example, the competitiveness of the election, candidate campaign mobilization efforts, issues at stake, voter fatigue, and the weather, among other elements that may vary from one election to the next in the same jurisdiction.

The technology, introduced with claims of efficiency, sometimes actually introduces delays and increases risk.

…a total of 33 municipalities experienced system delays on election day when servers became overloaded due to hardware problems and higher-than-expected levels of access by election candidates. Electors were delayed in casting their votes during this time. In some cases, voting hours were extended by an hour in order to compensate for the lost time; at least one municipality extended voting for a full day.

The hardware server error experienced by the vendor raises concerns regarding reliance on vendors to provide critical election related services such as election results accumulation and tabulation. An overreliance on vendors and technology can heighten risks to the electoral process if appropriate mitigation strategies are not in place.

When Ontario examined the municipal experience and compared the technology available with the requirements (listed earlier), they concluded

If we return to public expectations that a network voting solution would be more convenient, just as secure and less cumbersome than our current processes, the experiences of many Ontario municipalities indicate that the benefits of network voting may not be as great as predicted.

The report then looks at Nova Scotia

In 2008, four municipalities in Nova Scotia offered internet voting in their municipal elections. By 2012, that number had grown, and 15 municipalities offered internet voting.

and at Alberta

After the City of Edmonton withdrew its support in February 2013, Alberta withdrew its funding for other internet voting pilots and decided not to proceed with a regulatory change that would have permitted pilots in municipal elections.

Ontario’s conclusion based on federal and provincial evidence:

Most jurisdictions have concerns with the security of voting over the internet as technology and legislative frameworks have not yet evolved to fully address integrity concerns.

When examining the US experience, Ontario finds particular importance in independent public audits:

First, we will need to extensively test any proposed solution to ensure that it meets our implementation criteria. When conducting these tests, we should consider the value of offering independent, public review and open testing to ensure that Ontarians can be satisfied that we have resolved any potential concerns regarding security, privacy, authentication, and verification.

The report then turns to the 2003 and 2007 Internet voting trials in the UK. For the large trial in 2003 it finds:

Overall, although electors enjoyed the convenience of network voting, it had a very minimal affect on turnout. While some jurisdictions experienced voter turnout increases up to 5 per cent, other jurisdictions registered a decline in voter turnout of up to 8 per cent.xxviii

For 2007, the results were even worse:

In a review of the pilots, the United Kingdom Electoral Commission found there was insufficient time available to implement and plan the pilots, and the quality assurance and testing was undertaken too late and lacked sufficient depth. The United Kingdom Electoral Commission stated that “the level of implementation and security risk involved [with the pilots] was significant and unacceptable”.xxx

The end notes are
xxviiiUnited Kingdom Electoral Commission. 2005. Securing the Vote.
xxxUnited Kingdom Electoral Commission. 2007. “Key issues and conclusions: May 2007 electoral pilot schemes.”

See the references mentioned in the end notes in the copy of Appendix 3: Selected Works Consulted.

All that remains of the Securing the Vote report on the UK Electoral Commission site is the page Securing the vote – detailed proposals for electoral change announced.  The actual document itself does not show up in search.  The only location where a copy could be found was in a document repository from The Guardian newspaper: http://image.guardian.co.uk/sys-files/Politics/documents/2005/05/20/eleccommission.pdf

The UK did extensive reporting on the 2007 pilots, the website was http://www.electoralcommission.org.uk/elections/pilots/May2007 but it is no longer online.  There is a copy in the Internet Archive.

Although there is no longer an organising page on the Electoral Commission page, some of the reports from 2007 are still available from them, as well as being copied in the Internet Archive.

There are two considerations to highlight from the UK Electronic Voting Summary:

  • New voting methods should be rolled out only once their security and reliability have been fully tested and proven and they can command wide public confidence.
  • The necessary costs for secure and reliable systems must be able to be reasonably met by the public purse.

I will highlight only one item from the Technical Assessments of the e-voting Pilots, item 3.4.4 from Assessment of the pilot process – Quality management:

While there were variations between the different pilots, in all cases the quality and testing arrangements appeared to be inadequate. It is difficult to tell whether this was purely because of lack of time, or whether some of the suppliers were not used to implementing effective quality processes. Significant quality management failings include:
a. Lack of detailed design documentation;
b. Lack of evidence of design or code reviews or other mechanisms for ensuring that the solutions operate correctly and do not include deliberate or accidental security flaws;
c. Lack of evidence of effective configuration management.

This kind of haphazard voting software development has been shockingly common, e.g. for US voting machines as well.

Returning to the Province of Ontario report, moving on to conclusions, the key point that Internet voting does not increase turnout is again emphasized

As we discussed earlier in this report, often people assume that introducing a new channel of voting such as network voting will translate to an increase in voter turnout. Our research supports the findings of the City of Edmonton’s Issues Guide on Internet Voting which states that, at present, there is

“no conclusive evidence that shows introducing Internet voting will have a positive impact on turnout. Internet voting will not fix the problem of voter turnout decline completely –it is not a solution to the social and political causes of non-voting. ….”xxxiii

The end note is

xxxiiiGoodman Issues Guide: Internet Voting. p. 20.

This is a reference to Edmonton’s Issues Guide: Internet Voting by Nicole Goodman, November 2012.  Currently available from the City of Edmonton, and also in the Internet Archive.

To quote the Issues Guide:

The rationale(s) for not adopting Internet voting or for being more cautious in its consideration include topics such as security, notably threats of hacking and election fraud and problems associated with voter authentication. Privacy/ ballot secrecy is also cited as a worry. Additionally, there is uncertainty surrounding an effective evaluation process such as the ability to audit the election that may include a re-count or some type of ballot verification.

See the references mentioned in the end notes below in the copy of Appendix 3: Selected Works Consulted.

Moving to Appendix 5: Network Voting Business Case

Alternative Voting Technologies Report – Appendix 5 Network Voting Business Case (2012).pdfcopy in Internet Archive

I will quote only the section on chain of trust, just to illustrate the complexity of properly building an Internet voting system, followed with some commentary:

If the implementation of the network voting system does not both support the Chain of Trust and provide auditable evidence, then the process is open to question. This Chain of Trust is a compilation of all the following measures:

  1. Source code audit to verify that the code will do only what it is intended to do.
  2. Digital signature of the audited source code to protect its authenticity and integrity.
  3. Trusted build of the executable code in front of auditors (based on audited source code).
  4. Signature of the executable code to protect its authenticity and integrity.
  5. Deployment of the executable software in a clean system. Logical sealing of the system to detect any later additions.
  6. Logic and accuracy testing of the voting system to validate it works properly.
  7. Continuous audit of the voting system during the election, through review and validation of logs and other data. The logs must be protected from external manipulations by using cryptographic measures.
  8. Post-election audit that validates that the system behaved correctly by reviewing the logical seals and the protected logs.
  9. Individual voter verification that proves their ballots were used in the final tally (by using special receipts).

A strong emphasis must be placed on audit. Independent auditors must be able to review the source code, verify the build and deployment, audit system logs during the election event, and finally to review both the counting process and the results.

So this sounds reasonable, if challenging, time-consuming, and expensive, plus requiring a great deal of specialised expertise (which means excluding most oversight by ordinary citizens). But when examined from a computer science perspective, it might as well be called “the insurmountable mountain chain of trust“, because each step indicated above is a difficult problem in and of itself, and some of them are active areas of research because they are currently unsolved.  Doing a meaningful source code audit for any non-trivial source code is incredibly challenging.  Making a “trusted build” is almost impossible, because literally every software component in the build needs to be somehow trusted.  Needing trusted software components means a logical loop that can’t be satisfied: in order to build trusted software, you need a trusted compiler, but in order to build a trusted compiler, you need a trusted compiler.  Similarly, the concept of “logical seals” sounds great, but no such thing exists.  You might as well say “magic lock”.  This is just one of the reasons why computer scientists will tell you that secure Internet voting with trusted software is a problem that isn’t currently solved.

Finally, here are the works cited by the main report. Where necessary, I have added Internet Archive links for unavailable works.

APPENDIX 3 – SELECTED WORKS CONSULTED