wales – Paper Vote Canada 2

The Government of Wales is running a consultation: Electoral reform in local government in Wales. The consultation closes 10 October 2017.

A variety of questions are considered, but for the purposes of this blog there are three of interest:

Q21 electronic voting (this appears to be defined solely as paperless touch-screen voting in polling places)
Q22 remote voting (Internet voting)
Q23 electronic counting

In what I have found is fairly typical fashion, the main consultation paper (PDF) does not cite any references, and makes brief, broad, generally positive statements. (The youth and “easy read” consultation versions in turn simplify and amplify these statements to an extreme degree.)

Responding to the Consultation

You can fill in an online form,

but in order to be able to provide more extensive comments, you may instead want to download the email response form (DOCX), complete it (or complete whichever sections are relevant to you) and send it to RLGProgramme@wales.gsi.gov.uk

Reminder that the deadline is 10 October 2017.

Q21 Electronic Voting

(page 18 in main consultation document)

This is defined solely as touch-screen voting. There is no mention of paper output, so presumably paperless touch-screen voting.

Extracts from statements + commentary

5.14. This implies the installation of equipment at polling stations (and possibly other locations) to enable touch-screen voting. …

5.15. Electronic voting is already used widely internationally, particularly in India but also in Belgium and Estonia amongst others.

I think this is a misunderstanding of voting in Estonia. As far as I know, Estonia doesn’t use paperless touch screens. On voting day, voting is on paper.

There isn’t any serious examination of security risks to voting machines (voting computers), but there is the rather extraordinary assertion that electronic voting could lead to less challenging of “votes” (presumably this means fewer challenges to election results).

5.19. … there would need to be secure procedures in place to ensure the security of data being transmitted from the polling places to the central count operations. The challenging of votes could become less likely. …

I, on the other hand, think paperless touch-screen voting would introduce not only high security risks, but would make challenges to election results both more likely and impossible to satisfactorily resolve (as there is no physical trail to audit).

Q22 Remote Voting (Internet Voting)

(page 19 in main consultation document)

It’s clear this means Internet voting.

Extracts from statements + commentary

5.20. This refers to a process of voting through access of the internet by an electronic device, using an individual recognition code. The use of codes of different sorts to ensure that only the intended person is accessing a system is now commonly used for purchasing, banking, voting in elections within political parties, trade unions and other organisations. Registration to vote is now routinely performed online, as is registering/taxing a motor vehicle and accessing a multitude of other public services or transactions.

Where to begin? Voting doesn’t have the same requirements as banking; voting has much harder to satisfy requirements as the transactions have to be anonymous and aren’t reversible. Voting is not a regular online personalised transactional service.

5.21. Remote voting was piloted in local elections at South Buckinghamshire in May 2007. Although only a minority made use of the facility, 10 years later the option is likely to be more popular. There were no particular technical difficulties but the Electoral Commission called for the pilots to be suspended – along with all others – until the system was generally more secure. There is a risk that, with registering being done remotely, fictitious voters could be created and that voting might not take place in secure environments. In addition, realistic concerns exist about cyber security, and any system needs to be as secure as possible from the dangers of hacking and manipulating votes. This must be weighed against this method becoming more and more commonplace in relation to other types of voting or completion of official forms and having likely efficiency savings. There are remote voting procedures operating in at least one European country allowing the casting of a vote more than once by the same person, with only the final vote cast before close of poll counting. This is to provide for the possibility that an elector may be subject to intimidation when voting but would take a later opportunity to vote in private.

In the list of examples that might have been chosen, South Buckinghamshire in 2007 is a rather oddly specific choice. Plus which it’s very hard to locate those old voting trial documents online.

The usual assertion that online voting will be “popular”, without any context that online voting provably does not increase turnout.

I do like that there is at least some consideration given to security risks, but the idea that we should weigh “realistic concerns” about security against some vague notion of method popularity is odd. One should weigh the security risks of one type of voting against the security risks of another, and optimise for voting system integrity.

While being oddly specific about South Buckhamshire, the document is oddly vague about “at least one European country” – in fact there is only one country in the world that offers national Internet voting, Estonia, and it is only able to have multiple vote casting because it has a comprehensive nationwide system of digital ID, something which the Wales document doesn’t mention.

There is also no mention of the many countries that have had reports recommending against Internet voting (such as Canada) or countries that have withdrawn Internet voting due to security concerns (such as France).

Q23 Electronic Counting

(pages 19-20 of the main consultation document)

I don’t really have the energy to examine the electronic counting piece in detail. Basically what you need to know about electronic counting is that you MUST audit the counts because you cannot trust the counting machines (counting computers). Which, if you have a simple count anyway, means that you’ve generated more work and expense, not less. Electronic counting, with audits, only makes sense if you have a complicated count, and nevertheless distances the process of the election from direct public inspection and understanding.

UK Evidence

As I have mentioned, a lot of the UK evidence from previous voting trials is now hard to locate online. But here are some nice clear statements from the UK Office of the Deputy Prime Minister (ODPM) in Implementation of Electronic Voting in the UK Technical Options Report circa 2003¹

A Comparison with Other Secure Transactions

It is useful to compare voting with other online transactions for which security is needed.

The most obvious comparison is with banking. Attacking an electronic voting system is unlikely to bring the immediate financial rewards that a successful attack on the banking system would, and thus some types of well-resourced attack are less likely. However, the likelihood of well-resourced attacks is still sufficiently high to be problematic.

The consequences of a successful attack are very different with electronic voting, than with banking, though. Banks can, and do, take a financial analysis of how much loss they can stand and insure against such losses. It may be that a political decision could be taken that the loss of a certain percentage of votes is acceptable, but in the absence of such a decision, security appropriate for banking cannot be considered sufficient for electronic voting. Banks have also maintained confidence in the face of repeated losses through computer crime by covering up the cause of those losses. It is inconceivable that, in the event of a successful attack on electronic voting, such a cover-up would be acceptable to the electorate if subsequently disclosed. In a similar vein, individuals can be, and are, compensated for financial losses due to disruption/failures/hacking of online banking. It is not easy to see how there could be equivalent compensation for disruption/failures/hacking of an individuals vote, even if somehow it was discovered which individuals were affected (which might not be possible with some sorts of disruption).

Another issue is anonymity: electronic voting differs from the aforementioned applications due to the fact that, in addition to the requirements for accuracy and privacy, there is the mandated necessity to provide … anonymity. In other words, banking applications can (in fact must) allow tracking back to the user of the system, but the [electronic voting system] must ensure that such tracking is impossible. (Mercuri, 2001, pp8-9).

Electronic voting also differs from financial transactions in that the risk that an election delayed by a few days will have a different result is unacceptably high. By contrast substantial financial transactions between two willing partners usually can be conducted a few days later if there are problems with ecommerce applications, since such transactions are rarely conducted on a whim.

The Mercuri citation above is to
Mercuri, Rebecca, 2001 Electronic Vote Tabulation: Checks and Balances PhD thesis, University of Pennsylvania.

¹ From Paper Vote Canada blog post electronic voting in the UK – technical report, September 17, 2004. As the OPDM site is no longer available, a 31 July 2003 version from the Internet Archive is linked above.