Paper Vote Canada

The enthusiasm for Internet voting is understandable. At first blush, there is a certain allure associated with the convenience of Internet voting, given the prospect of increased turnout, reduced costs and quicker reporting of results. Moreover, since other security sensitive activities such as banking and health care have gravitated online, supporters argue that elections can't be far behind.

Yet before rushing into Internet voting trials, the dangers should not be overlooked.

...

Caution on Internet voting appears prudent, since experts have identified a long and costly list of necessary precautions, including random spot checks and post-vote verification programs to preserve anonymity. Given the security risks, opening the door to provincial or federal Internet voting seems premature. In the zeal to increase voter turnout, the reliance on Internet voting could inadvertently place the validity of the election process at risk.

Toronto Star - Geist: Hackers, viruses threaten online voting validity - Monday March 8, 2010

UPDATE:
Previously

November 15, 2006 Geist on e-voting

Labels: alberta, canada, elections canada, internet voting

This is in reaction to the Elections Canada Internet voting event, some of the followup to it, and the ongoing trend for Canadian municipalities to adopt Internet voting (as well as the announcement that the province of Alberta will investigate it as well).

Our society loves the new. This is sometimes good, and sometimes appallingly, disastrously bad.

We had decades of "urban renewal", starting in the 50s and gaining momentum in the 60s, that with traffic planning as an essential element, very nearly destroyed the downtown cores of many cities in Canada, and actually succeeded in destroying the cores of many US cities. New is not always better. We are now, with enormous effort and expense, slowly attempting to undo some of the worse excesses of urban renewal, rebuilding and reinhabiting city cores, restricting the previously unlimited role of the fast-moving car in urban planning.

The people at the time had legitimate concerns. They found their cities old and tired, the trolleys familiar and worn. They literally could not imagine that their dense urban neighbourhoods would, rather than being improved by sweeping expressways and demolishing "urban blight", instead be turned into a dead landscape of poverty and neglect. Good intentions can have terrible consequences. We almost always cannot predict the future.

But Internet voting is an area where we actually have a tremendous asset, a community of computer security experts. UPDATE: As well, we can look the the experiences of other countries and jurisdictions. And we can look at other types of online activities. We can make some good guesses about the future. The experts tell us that computer networks are very hard to secure. Other countries show us that the complexity of a good technology implementation can lead to high expenditures with private companies, unsatisfactory results, and law suits. The ongoing, continuous security compromises of existing systems, with credit card numbers and other high-value information repeatedly stolen, tells us we are far from a world of high security on the public Internet. ENDUPDATE

We also have a recent trend of greenwashing - corporations that want to make money, but cloak it in some new language of social responsibility or environmentalism. Less paper is not always good. What consumes more resources, a single piece of paper you use once, or a computer in a data centre that is on 24 hours a day, 7 days a week, 365 days a year, requiring round-the-clock high physical and network security? In any case, since when is the foundation of democracy about how "green" your election is? Elections hinge on trustworthy results. You want a green election? How about we just all hold up our hands and someone writes the result down on a chalkboard? No paper wasted! No electricity burned! Making some vague green claims about reduced paper consumption is a diversion from critical, core process and security issues associated with Internet voting.

This is not to mention the fact that a good chunk of the supposed "savings" from Internet voting comes from eliminating polling places, from eliminating polling place workers. Do you seriously want a voting system that is less human, that involves fewer people, that has fewer eyes to identify and report problems?

In the most egregious example of Internet voting mythmaking, the myth of the technoyouth. The argument, almost always made by someone who is not young, almost always made without any supporting evidence whatsoever, goes as follows: young people "naturally" use technology, enjoy technology, interact with technology. If you can just "technologize" something, young people will use it.

This is utter nonsense. Young people like doing young people things. They do them with whatever tools are at hand. They don't think about the technology, it's background noise. They think about the activity. Making an activity that people aren't interested in available on a platform that they use, will not make them interested. The examples for this are trivial. It's a signature of the myth of the new that we are able to actually believe that somehow "the old rules" don't apply once you put a blinking light on something. You want an easy example: I watch TV. I watch shows I like on TV. I am not interested in sports. There are acres of sports on TV. You know what, this does not make me interested in sports. No one cares about technology channel for technology's sake except actual technologists. If you put boring middle-aged leaders talking about boring policies for senior citizens in a little video windows on a 20-year-old's iPhone, this is not going to make them interested in politics. It's nonsensical.

The overwhelming majority of the evidence from the few large scale examples we had at the Elections Canada Internet Voting discussion is that putting voting on the Internet doesn't magically translate into everyone who uses the Internet suddenly voting. It's just makes it easier for the people who already vote.

If you want turnout, then have a TURNOUT STRATEGY. A button on a web page is not a turnout strategy. Real turnout strategies might include:

* online and offline engagement with voters on issues they actually care about
- This is not easy. Real citizens have inconvenient interests. If you want to see how inconvenient true engagement can be, watch supposed super-Internet-connector Obama immediately dismiss even the possibility of a rational discussion about drug (specifically marijuana) policy, every single time it inevitably rises to the top of an Internet engagement attempt.

* Make election day a holiday
* Hold elections on Saturdays
* Put polling places everywhere - in workplaces, in grocery stores, wherever people actually go in their actual modern lives, not some theoretical church and community centre life that hasn't existed for decades
* Making voting mandatory, as it is in Australia

Notice how little of this involves technology.

Lastly, I want to address Internet voting utopianism. I would have thought the dotcom boom would have killed this, but it didn't. Life is not an endless progress towards a better and better world. Just because something is new, doesn't mean it is either inevitable or beneficial. The French Revolution loved their clean, modern new technology: the guillotine. There are lots of things that make no sense to do over the Internet. Just because it's there, doesn't mean you have to use it, IF IT ISN'T THE BEST SOLUTION.

Internet voting solves no problems, and introduces huge new ones, including:
* massive security issues at every step of the very long chain
* massive chain of custody issues
* massive privacy issues
* massive coercion issues
* handing over the core infrastructure of democracy to private companies and/or invisible government technologists
* creating a voting system that no one without a degree in computer science can actually understand

It will not save money except in some narrow sense. You can work numbers so that it looks like you're saving - oh look how much we save if we don't provide some education or some healthcare, as long as we ignore the huge future costs of impoverished people who are in and out of prison and huge numbers of expensive emergency room visits.

Oh look how much we save if we don't provide paper ballots - as long as we ignore the ongoing costs of data centres, legal challenges, and fundamentally undermining trust in our democracy.

Here's a simple thought experiment: would you hand a stranger $10 and ask them to deliver it to City Hall? A $100 bill? A million dollar bill? How much is your vote worth, how much is a national election worth? This is not banking, where you know the bank, they know you, and every single step along the way is auditable and reversable. This is a one-time handover of a treasure, your vote, to layer after layer of systems programmed by strangers, that you cannot inspect the internal workings of, where even the administrators of the systems can never truly know what is going on internally (a computer can always pretend to be executing one program, while actually executing another), in a system where you CANNOT VERIFY THE RESULT (because any system that lets you check how you voted, must inevitably provide the capacity for someone malicious to determine how you voted).

Internet voting is a lose-lose situation. The easier you make it to vote online, the more convenient, the less complicated, the less encumbered by multiple steps and complexity, the easier you make it for a hacker to steal the election. Worse than that, it is quite likely it is actually impossible to secure the election to the multi-billion-dollar risk level that would be appropriate, you simply cannot provide that level of assurance using the public Internet. The best you can do is involve every possible computer security expert at every step of the process, and then have a very highly informed acceptance of an extremely high level of risk. I don't see anything even close to this happening, other than in the Estonian system, which requires a unique national ID certificate for every single citizen and even then doesn't address issues like coercion.

In brief, this is really hard, maybe impossible to do well, and just as with the half-assed Windows-based electronic voting machines visited upon the American people by Diebold (now part of ES&S, an elections vendor that provides technology to Canadian elections), I don't see anyone taking even close to the level of necessary care in the current Canadian Internet voting situations.

Which brings me to my concluding point: to do this well requires an extraordinary level of computer expertise, testing, auditing, risk assessment, and 24/7/365 datacentre security, and a huge set-aside for potential legal challenges in case of fraud accusations. This inconvenient truth exposes the lie of Internet voting as being an easy, cost-saving citizen convenience, and so in most cases what I see is Internet voting advocates who are either ignorant of these issues, ignoring these issues, or deliberately trying to spin them.

Labels: canada, internet voting

Ireland jumped into the electronic voting arena, acquiring 52 million euros worth of equipment... and then determined the risk of using them was too high. So now they're stuck.

Eight years after they were acquired for €52m, the government wants to return 7,500 barely used electronic voting machines to their manufacturer.

John Gormley, the environment minister, announced last March that he had set up an inter-departmental taskforce to deal with the disposal of the machines, after deciding they would never be used to count votes in an Irish election.

Times Online - Voting machines to be cast out - January 24, 2010

Previously:
February 10, 2005 understanding the true costs of voting machines
February 07, 2005 Ireland does things right
February 03, 2005 Canadian e-voting officials, behold your future: Ireland

Labels: electronic voting, ireland

This month will be the six-year anniversary of PaperVoteCanada. The first post was February 14, 2004.

Labels: meta

Alice Funke (@punditsguide) has an article in The Hill Times - Online voting won't hike youth turnout, but 'it grows on you,' forum told - February 1, 2010

I'm quoted:

“The municipalities are perhaps naive
about the amount of risk they’re assuming,”
warned internet voting security expert Richard
Akerman of the PaperVoteCanada.ca
blog, though. “Very closely contested elections
like Al Franken’s recent race for the U.S. Senate
were only settled because people could
actually see the ballots,” he said. Had it been
conducted over the internet, “the expense of
defending the integrity of that system in the
courts would have been huge,” he claimed.

My concerns include:
* for the risk of coercion, they are acknowledging but accepting this - but have we had a serious debate about whether this is a risk that should be accepted?
* for the risk of a recount, they are simply accepting that all you can do is go and look at the digital data (the "data points" as it was described at the event) - there is nothing to actually recount - while this approach has been accepted, I can easily see an aggressive challenge that required a complete end-to-end forensic audit, which would require a level of technical expertise and time that would be, as I said in the quote, hugely expensive AND raise huge trust issues once people realised both how complex and how opaque these systems are

Labels: elections canada, internet voting, ivotecan

This is the raw text of my @papervote tweets from the Elections Canada Internet Voting dialogue. (I'm archiving here because these will disappear from Twitter eventually, and also because I realise many of you prefer to get the text here rather than following in real-time or trying to page through Twitter.)

I have flipped the order so it is more readable - it's oldest first.

First tweet is at 8:54 AM Jan 26th 2010 and last one was at 4:56 PM Jan 26th 2010.
There are a total of 276 tweets.

BEGIN TWEETS

am set up on tethering and will be liveblogging under hashtag #ivotecan - there is a media section here but I only see one person so far

Elections Canada communications has very graciously allowed me to sit at the media table and get power for my netbook. #ivotecan

event is being opened #ivotecan - Elections Canada speaker up next

2/3 of Canadians likely to vote online according to recent survey - Elections Canada #ivotecan

lessons Canada can learn from other jurisdictions within Canada and outside Canada #ivotecan

Elections Canada pilot project will test secure voting via Internet for selected groups eg disabled, Canadians in other countries #ivotecan

Elections Canada emphasizing convenience of Internet voting - but "must maintain level of integrity that Canadians expect" #ivotecan

"Internet voting as an online service" #ivotecan - Elections Canada

Group is working on consistent cross-level standards (provincial, national etc.) #ivotecan

members of parliament and other experts reported to be in audience #ivotecan

Prof. Alvarez up next #ivotecan

Prof Alvarez and audience #ivotecan http://twitpic.com/zuo00

Alvarez will talk about American experience, upsides and downsides #ivotecan

Rationale for Internet Voting: evolution in US from handcounted to optiscan to paperless (nonnetworked and networked systems) #ivotecan

electronic technologies also used throughout the elections process in the United States #ivotecan

defining Internet voting: transmission of ballot over network - references his book One Click One Vote #ivotecan - public elections context

EDITORIAL NOTE: I misheard Alvarez, the book is actually Point, Click and Vote: The Future of Internet Voting. He has also written other books on the topic. END EDITORIAL NOTE

both home computer as well as kiosk Internet voting #ivotecan

Why innovate election tech? - turnout, accessibility, security (!), accuracy (!), efficiency, international access, cost #ivotecan

"How can these technologies improve the efficiency and reduce the cost of election administration?" #ivotecan

American experience - elections have vastly decentralised administration - run at the county level - not national #ivotecan

American experience - "complexity of ballots, regulations and procedures" #ivotecan - may be "dozens and dozens" of items

American experience - multiplicity of ballots, in different languages, covering huge number of items to vote upon #ivotecan

American experience - 2000 Presidential election - controversies have continued about use of electronic voting tech #ivotecan

American experience - California Internet Voting Task Force (2000) - has shaped a lot of US thinking #ivotecan

American experience - Internet voting - Alaska Republican party (Jan 2000) - Arizona Democratic party (March 2000) #ivotecan

Internet voting in 2000 Presidential election - 6 million Americans overseas (military, gov etc.) - special voting rights #ivotecan

international voting - mail transit time to and from e.g. Iraq is a big concern - Internet voting reduces transit time #ivotecan

2000 experiment was a proof of concept - focus on feasibility - electronic version of mail voting system #ivotecan - limited # participants

US international Internet voting used PKI credentials for authentication #ivotecan

not a lot of data - 91 registered, 84 voted using international Internet voting system for US in 2000 #ivotecan

"no security breaches found" for 2000 international Internet vote for US #ivotecan

followup: SERVE - Secure Electronic Voting Registration and Voting Experiment - planned to involve as many as 100,000 #ivotecan

SERVE wasn't implemented because in early 2004 study by computer security experts caused it to be cancelled #ivotecan

in early 2004 Michigan Democratic Party allowed online voting - 28.57% online votes of 162,000 votes total #ivotecan

"Controversies regarding electronic voting machines in 2004 and 2006 elections" #ivotecan

"Election admins and stakeholders reluctant to take on risks associated with voting pilots experiments or transitions to new tech" #ivotecan

ODBP - Okaloosa Distance Balloting Project, implemented in 2008. Kiosk voting for UOCAVA citizens at 3 international locations #ivotecan

there were a few problems with Okaloosa tech but tiny number (<100) voters #ivotecan

use of kiosks means you can ensure the kiosk is secure, rather than using insecure personal computers #ivotecan

(for tests) "Without better scientific design, most of the important outcome variables are difficult to assess" including security #ivotecan

"insufficient data collected" based on US Internet voting experiments to date #ivotecan

Security: What are the real vulnerabilities? How can you mitigate vulnerabilities? Need real experiments #ivotecan

next up: panel on Canadian experiences with Internet voting #ivotecan

Nicole Goodman of Carleton moderating and introducing the panel, which will discuss Canadian municipal Internet voting #ivotecan

first up: Markham's Online Voting Experience by Kimberly Kitteringham and Andrew Brouwer (Town Clerk & Deputy Town Clerk) #ivotecan

Markham Internet voting: 2006 election and plans for 2010 #ivotecan

80% of Markham residents have high-speed Internet access #ivotecan

Why online voting: electronic service delivery, multichannel service delivery, changing lifestyles, "new electorate", convenience #ivotecan

municipal turnout hovered around 30% - Internet voting a channel to encourage participation in voting process #ivotecan

online voting a way to enhance participation by people with disabilities #ivotecan - equal access to the electoral process

2003 positive Internet voting experience positive, recommended online voting for 2006 #ivotecan

Principles identified: security, accuracy, privacy, authentication/verification #ivotecan

Independent Risk Analsys by Henry Kim of York University; Gartner Group security review of IT platform #ivotecan

Dr. Kim found "similar reasonable risks" with two-step voting to in-person voting, and better characteristics than mail-in voting #ivotecan

Partnered with Election Systems & Software (ES&S) for provision of online voting; security of platform verified by Gartner Group #ivotecan

Comprehensive communications plan about Internet voting / voter awareness provided by Delvinia Interactive #ivotecan

2006 online voting only available during early voting period #ivotecan

reporting positive numbers >75% satisfaction from Delvinia survey #ivotecan found it convenient, voted from home

approx 6000 voted online in 2003, approx 10,000 voted online in 2006 #ivotecan

Change in online voting: earlier campaigning, be clear about ID requirements, change in nature of scrutineer function #ivotecan

scrutineers obviously cannot see voters receive and cast their ballot, unlike in-person voting #ivotecan

2010 Markham issuing RFP for online and tabulator vote systems - 3rd party review of online voting security - access plan #ivotecan

Markham "online voting viewed by staff as continued opportunity for service excellence and civic engagement" #ivotecan

Halifax Regional Municipality (HRM) Internet voting experience next up #ivotecan
Cathy Mellet, Acting Clerk/Manager, HRM #ivotecan

HRM covers large physical area, estimated to have population over 410k by 2012 #ivotecan

4 year "e-voting journey" starting in 2004 - Jan 2007 council approved Internet/phone advance voting with "2 levels of ID verify" #ivotecan

discussing mitigating risks while taking advantage of opportunities #ivotecan

RFP in 2007, selected Intelivote for HRM #ivotecan - had to change Municipal Elections Act and HRM by-law to permit

2008 event demographics 279,000 electors; advance voting: 10% of eligible, 28% of votes cast, 88% used Internet. #ivotecan

"engagement matters to voters" HRM #ivotecan

Principles Balance: accessibility vs scrutiny, engagement vs. integrity, convenience vs security... #ivotecan

objectives: ensure integrity, ensure compliance with regulations... #ivotecan

Partnership with Elections Nova Scotia & vendor #ivotecan

HRM election system & data transfer to vendor #ivotecan - also needed support/help centre and contingency plan

something about firewalls but presentation is going way too fast for me to keep up #ivotecan

voter identification "2 shared secrets" - mailed out password + voter birthdate #ivotecan

Sept 2009 special election - "complete internet voting from advance voting to election day" - "realtime voters list", kiosk #ivotecan

"substantially increased turnout" for special election (30% vs. 10% in previous special elections) HRM #ivotecan

e-voting works, well received, cost effective, greener #ivotecan

Jon McKinstry, Sales Manager, Dominion Voting Systems - presenting City of Peterborough story #ivotecan

Peterborough population 75,600. Internet voting 4400 registered, 3500 cast a vote, total 7% of votes were cast over Internet #ivotecan

if you registered for online but didn't vote over Internet, you could still come and vote in person #ivotecan

reasons: leader in delivery of voting systems, embrace tech, increase voter participation, adapt to changing lifestyles #Ivotecan

spike in demographics for Internet voting actually people 40-50, didn't actually have a peak in younger voters #ivotecan

needed realtime strikeout of voters list so that you couldn't vote online and then vote again in person #ivotecan

wanted a system that would consolidate votes from optical scan and internet voting #ivotecan
Principles: ... going too fast for me to keep up #ivotecan

independent security audit of Dominion Voting by Digital Boundary Group (London, Ontario) #ivotecan

again a shared secret system with the secret being the year of birth being the "secret" along with a preselected q/a #ivotecan

PIN number through regular postal mail or encrypted email #ivotecan

audit: password strength, denial of service, injection, ensure intrusion detection in place, system security vulnerability scans #ivotecan

audit reported "Dominion system was a very secure solution" #ivotecan

vote: elector ID + PIN number, separate website, answer preselected question set at reg time, ?enter birthdate? (not mentioned) #ivotecan

Peterborough - ease of use - could cast ballot for 5 days, 24 hours a day #ivotecan

election help desk as well as 1-800 call centre provided by vendor #ivotecan ("about 100 calls came in")

computers also provided at city hall, library, other sites #ivotecan

enhanced features: accessible ballot with zoom, audio, JAWS compatibility #ivotecan

Lessons learned: important for officials to have "complete understanding" of process and technology #ivotecan

Lessons: important to have dedicated marketing, increase number of laptops, run longer (from advance to election day) #ivotecan

approx 15 minutes for questions #ivotecan

am sitting next to @punditsguide

Q to panel from @punditsguide : privacy - 1 destruction of e-ballots? (e-ballot could be
linked back to individual) #ivotecan

Q to panel from @punditsguide : 2 what about voters being coerced at home #ivotecan

Markham: unsupervised voting - one person in a household could do all the voting - part of the risk assessment ... #ivotecan

Markham: unsupervised voting "a risk we were willing to accept" - used education about one person, one vote, secrecy of vote #ivotecan

?Markham? - how are online ballots handled - retained for same duration as paper ballot #ivotecan

?Markham? - paraphrase: no way to connect an individual voter to how they voted in the system #ivotecan

HRM - created substantial penalitys ($10k, 2y in jail) for voter fraud, collusion, or influencing #ivotecan

HRM - asked for certificate of destruction for online ballots from vendor #ivotecan

HRM - "two separate systems" that ensure no connection between voter and votes cast #ivotecan

Q City of Toronto: How do you handle recounts? #ivotecan

Halifax - recount = paraphrase "reopen the encrypted file and look at the data points" #ivotecan

Q City of Toronto: do you capture a (screen) image of the vote as cast? A from HRM: no we just record a data point #ivotecan

A on recount from Markham: "an electronic recount of an electronic vote" #Ivotecan

something about "data as recorded when polls closed and put on memory stick for auditor" ? #ivotecan

Jeremy Clark from Waterloo - privacy question - what kind of data is kept about timing of votes - ... #ivotecan

Jeremy Clark... if you keep timing info you can look at vote time and vote recorded and correlate to figure out who cast what vote #ivotecan

answer from panel: timing is kept, it is a risk but ... someone internal would have to do this attack #ivotecan

Q from Elections Ontario: is a preaudit done - is it possible to test the system before event - and is there postevent test #ivotecan

A from HRM - "audit ballots" cast before, during and after election #ivotecan - realtime tests of the system

A from Peterborough - security tests in advance, intrusion tests etc. #ivotecan

A from Markham: similar process to Halifax #ivotecan

Q: load testing? A from HRM: yes, Oracle platform not even stressed, a non-event. Markham: similar to Halifax #ivotecan

Q did you survey people who didn't use the system? do you know why people registered to vote online but didn't? #ivotecan

A from Markham: survey appeared online right after you voted online #ivotecan

EDITORIAL NOTE: At this point I hit an unexpected Tweet cap for a new account (128 tweets). For the rest of the morning I had to move to liveblogging on FriendFeed. I will try to integrate that reporting here later, but for now you can see it by paging through http://friendfeed.com/electronic-voting-in-canada (which also includes some of these tweets)
END EDITORIAL NOTE

tweeted so much, so fast, from this new account that I got temporary twitter lockout. morning reporting at: http://bit.ly/84ynMb #ivotecan

@kirkschmidt there was a Q "risk of internal staff", the response from HRM was "this is a risk we've always had to deal with" #ivotecan

@pmarchi No one has a good (technical) answer to the coercion issue. HRM made coercion "more illegal" with $10k fine, 2y prison. #ivotecan

Just wanted to mention @punditsguide has been doing a great job of tweeting this very fast-moving event. #ivotecan

@jasonkitcat Yeah and in fact several speakers have said convenience mostly helps save existing voters time, no big turnout boost. #ivotecan

I have blogged a brief summary this this morning's very fast, info-packed set of presentations: http://bit.ly/aqPSjY #ivotecan

Tech considerations session presenters: marketer, vendor, open-source guy, tech guy (Peter Wolf of IDEA, Masters in Computer Eng) #ivotecan

Tech considerations panel: Peter Wolf stuck in snowstorm in Frankfurt or something. #ivotecan Projector also not working (tech irony).

Wolf's notes: trust, transparency, but no external evidence of system's correct operation. Hence systems depend on public trust. #ivotecan

Wolf asserts you must then extend greater trust to the entire electoral system as well as have auditors #ivotecan

Wolf: Internet voting - client computer - "nobody can know if this computer can be trusted" #ivotecan

Wolf: observers would like to get insight into operation of systems, and computer security experts may be fundamentally opposed #ivotecan

It's too bad Wolf isn't here, because his notes raise many excellent points. #ivotecan

Wolf: trade secrets may block trust in system, ability to observe operation, due to black boxes e.g. operating systems, code #ivotecan

Wolf: Opening the Black Box. Norway - public access to source codes. Council of Europe - certification guidelines / standards #ivotecan

My editorial comment: it doesn't matter if your source code is open, you can't prove that's the code that is running. #ivotecan

Wolf: commercial vendors were willing to divulge codes if made a condition of Internet voting contracts #ivotecan

Wolf: lack of common standards for certification - issue recognized by Council of Europe #ivotecan

Wolf: sequoia source code released in USA (editor's note: just google that term to find out the results of analysis of the code) #ivotecan

Adam Froman: Delvinia Interactive - marketer/comms for Markham Internet voting #ivotecan

Adam Froman admits up front he doesn't know or care about the technology. He's going to talk about the voter experience. #ivotecan

Delvinia got CANARIE grant to study the use of broadband tech for municipal services - brought $200k to the table for Markham #ivotecan

@zippyFX it's not hard to write a trojan that sends a response back claiming to be the correct software

Delvinia positioning Internet voting as an option, not a replacement for traditional paper vote #ivotecan

Delvinia studied voter attitudes. And also worked on the voter outreach. Including education about registration changes #ivotecan

Delvinia - 2003 - interactive guides - but there's a general need for voter education, regardless of whether they're voting online #ivotecan

Delvinia - web site satisfaction survey - postpolling, online surveys #ivotecan

[ED COMMENT:] In case people don't know Canadian system: scrutineers from all parties watch the open counting of the paper ballots. Many eyes. #ivotecan

Delvinia - with advanced poll, sometimes politicians would show up at people's doors and discover they had already voted #ivotecan

Delvinia: voter registration process was main barrier to Internet voting #ivotecan

@zippyFX the trojan hides in the query stream and lies. Gives the correct CRC, size, response. See e.g. rootkits.

over 90% of people who voted online in Markham said they would be interested in voting in Federal election #ivotecan

Delvinia guy makes "tech is a part of people's lives" argument #ivotecan My counterargument: educate them about the risks of Internet vote.

Delvinia has a point that the new political engagement is a "digital dialogue" with citizens. Engagement beyond vote #ivotecan

Editorial comment: don't mix social media engagement with the need to secure one-time voting experience #ivotecan

Dean Smith of Intelivote also says he will not talk about the tech side of things at all #ivotecan Small Nova Scotia company.

getting sales pitch for Intelivote now #ivotecan

Intelivote assists in writing electronic voting legislation for countries (!) #ivotecan

Intelivote - integrated polling stations, telephone and Internet voting #ivotecan

Intelivote - pitch is "more choice" #ivotecan

talking about components of election system: help center, auditors, Intelivote control, electors, candidates, officials #ivotecan

components of election system diagram shows "Intelivote system" in centre of everything, which kinda freaks me out #ivotecan

Intelivote considers it a benefit that you can vote from anywhere in the world #ivotecan

Intelivote - anecdotal report about first time visually disabled voters were able to cast vote on their own thanks to technology #ivotecan

Intelivote - 2009 by-election "almost 70% voted electronically" is I think what he said #ivotecan

33 municipal elections in Ontario used Internet and/or phone voting #ivotecan "Canada as a leader" rhetoric coming from Intelivote

Speaking of rhetorical questions: Intelivote - "Why are Canadians so open to eVoting?" #ivotecan

Intelivote pitch: choice, flexibility, immediate, auditable results, voter intent clear - no spoiled ballots, enviro friendly #ivotecan

Intelivote pitch (continued): don't have to staff polling stations #ivotecan

Jason Gallagher: open source vs. propriety in 10 minutes or less #ivotecan

err vs. proprietary that is #ivotecan

defines source code #ivotecan

Gallagher explains in proprietary code, you never get to see the source code #ivotecan

looks like @punditsguide has hit a status update limit as well. have directed to http://friendfeed.com/electronic-voting-in-canada

Gallagher explaining open source software - allows peer review of software, no vendor lockin, gives rights to software users #ivotecan

Gallagher: free to modify open source, don't have to rely on vendor #ivotecan

Gallagher: why open source for voting - transparency, not a black box, accountability, auditability, security #ivotecan

Gallagher: how can shared source code be secure? paraphrase "many eyes make bugs shallow" - don't rely on secrets #ivotecan

Gallagher: there will always be hackers, but if your system is open, you also allow people to help you to improve #ivotecan

Gallagher: proprietary advantages - ready made ./ off the shelf, someone to blame if it goes wrong #ivotecan

Q from ? Alex Sussex ? Univ of Ottawa: everyone can witness paper ballot tally. "you can't actually see software occuring" #ivotecan

Q (continued): what role do candidates play in the observability of the tally? #ivotecan

Q (continued): you don't know what's going on inside the system... what role do candidates play to convince the voters #ivotecan

A from Intelivote: candidates want to be involved... the module shows people being struck off the voters list as they vote #ivotecan

A from Intelivote: no equivalent role for scrutineers in electronic world - no recount #ivotecan

A from Delvina: you're asking the wrong question. Should be "What would you need to see equivalent to paper voting?" #ivotecan

Editorial comment: there is no equivalent to observing the internals of the system analogous to scrutineer role #ivotecan

A from computer security researcher who asked original question: "there are new ways that allow voters to engage in the auditing" #ivotecan

Intelivote: system observing itself is "placebo effect" - one electronic process is observing another electronic process #ivotecan

Intelivote does allow peer review of its code #ivotecan

Intelivote uses randomization to avoid matching timestamps to determine who voted for whom #ivotecan

Q: how do panel see Internet voting rolling out across Canada #ivotecan

A from Intelivote: says Canada (and by extension Intelivote) has reputation and experience #ivotecan

Delvinia guy says you can use open source if you have the resources to build the solution #ivotecan

Editorial summary: Intelivote guy argues "reputation and experience", Delvinia guy argues "it's inevitable anyway" #ivotecan

Q from Elections Quebec: is there established, audited open source software available #ivotecan

A: one example in Australia, project has since been cancelled. Professor found error in source code. was fixed. #ivotecan

A from Tarvi: not about open source - about auditability and transparency. Estonia does not publish its source code. #ivotecan

A from Tarvi: Estonia ready "at any second" to sign NDA and provide code for auditing purposes #ivotecan

A from Tarvi about client side code: could be very easy to create malicious client side app - don't give out client side code #ivotecan

A from the audience: more open source - Scantegrity open source system, open voting consortium, ?OSEB? - DRE software #ivotecan

break and then roundtable discussion #ivotecan

observations from Alex Treschel - should do trials, with Canada-specific-research and analysis of the results #ivotecan

Alex Treschel - make sure you are not generalising from very small data sets or experiments #ivotecan

Alex Trechsel - cautions against generalising even from e.g. Halifax to other Canadian municipalities #ivotecan

Tom Hawthorn - when is it right to move? should we lead new tech (in elections) or follow well established technologies? #ivotecan

Tom Hawthorn - experience in UK was that perhaps they hadn't thought things completely through #ivotecan

Tom Hawthorn but if you wait too long, you may miss an opportunity #ivotecan

Tom Hawthorn - need to understand who is driving the process, who is holding the budget - better if electoral admins drive #ivotecan

Tom Hawthorn - place development of voting systems / software in an international context rather than individual countries #ivotecan

Tom Hawthorn - should develop common understanding and set of benchmarks #ivotecan

Tarvi Martens - electoral system is about trust. holds the same for evoting as for paper. #ivotecan

Tarvi Martens - example of failure in Netherlands. example of failure in Lithuania due to suggesting banking credentials #ivotecan

Tarvi Martens - example of failure in ?Finland? - if you screw up deployment, you will be set back a decade or more #ivotecan

Tarvi Martens - if the deployment of your system, including the user part, does not build trust, you will fail #ivotecan

Tarvi Martens - asserts user identity is critical to system (not surprising since he is expert on computer credentials) #ivotecan

Tarvi Martens - password based systems or weak credentials are easy to attack #ivotecan

Tarvi Martens - if people succeed in compromising your system, you will have a huge setback in trust #ivotecan

Jon Pammett: a wide variety of "policy laboratories" in Canada for Internet and other voting systems experimentation #ivotecan

Jon Pammett: not an expert in tech, wondering if Internet voting will increase turnout, but it seems based on today it won't #ivotecan

Jon Pammett: Internet voting doesn't appear to address voter engagement, which is the true driver of turnout #ivotecan

Jon Pammett: concerned about (my words) consequences of Internet voting road not taken #ivotecan

[ED COMMENT:] argument from panel that mixes "tech use" with youth. In my opinion, this is a false mix. Young people are not tech experts. #ivotecan

Editorial comment: I think there needs to be better research into what actually drives voting, rather than speculating #ivotecan

Q from @punditsguide: Canada examples are municipalities which are low turnout, not highly contested elections #ivotecan

Q @punditsguide: how will this work in a much more competitive election where votes are closer #ivotecan

Q (U Calgary): assess evoting based on increased efficiency? (code for saving money) - but if used in advance voting... #ivotecan

Q (U Calgary, contd) will increase cost of elections without noticeable effect on voter turnout? #ivotecan

Q (U Calgary, 2nd question): where research has been done on impact by age, no positive impact in bringing youth vote #ivotecan

Q (U Calgary, 2nd q): seems that Internet vote is mostly middle-aged turnout. #ivotecan

Q (U Calgary): seems like greater cost and no greater turnout - then what is justification for Internet voting? #ivotecan

A (Jon): age profile data is from municipalities - young people not engaged in municipal politics #ivotecan

@jasonkitcat seems to be a dialogue between desire for turnout and issues about trust #ivotecan

A (Jon): in competitive elections - possibly true people would be more likely to attack systems #ivotecan

A (Alex): in competitive elections higher risk - try it out in less competitive contexts too (and remember Swiss cap evote at 10%) #ivotecan

A (Alex): (not exact quote) "doesn't cost that much, comparitively" for "making people happier in democracy" #ivotecan

A (Alex): also remember youth never had high turnout, but it is dramatically low in e.g. Canada #ivotecan Internet voting not a panacea

A (Tarvi): to use Internet voting in Federal election for the first time is a bad idea - start small #ivotecan

A (Tarvi): Estonia formed a group of IT security experts, every step was security, security, security #ivotecan

A (Tarvi): Estonia knew exactly the potential failure points, the risks #ivotecan

A (Tarvi): if you haven't done your security due diligence, hackers can expose issues and destroy trust in your system as in NL #ivotecan

A (Tarvi): if you reuse your system, then over the long term the costs are lower #ivotecan

A (Tarvi): Internet voting not to increase turnout, it's to PRESERVE the turnout #ivotecan

A from Markham: cost for Internet voting were "quite small", "reasonable" #ivotecan

A from Markham: did see increased turnout #ivotecan not enough data to attribute directly to Internet voting

A from Markham: hackers "a cynical argument" against Internet voting, look at opportunities instead #ivotecan

A from HRM: if you can decrease the number of poll locations you decrease cost and "risk" (training / staff risk) #ivotecan

Comment (Nicole Goodman?): We don't know how any particular Internet voting model will work in any jurisdiction, need trials #ivotecan

Comment: yes there will be a large upfront cost, and there should be since it needs to be done right #ivotecan

Comment: cheaper over the long term #ivotecan

Comment: we can't fix turnout with Internet voting but there is no one solution, young people are not homogeneous group #ivotecan

Editorial comment: cheaper over time is hard considering you need 24/7 physical & net security for data centre 365 days/yr #ivotecan

Q: what are the main arguments against Internet voting? #ivotecan (other than security)

Q (Elections Canada): can academics map when a region is "mature" enough to go on an Internet voting route #ivotecan

A (Tom): Germany ruled use of Internet voting unconstitutional as it was inherently un-understandable by avg citizen #ivotecan

A (Tom): no one knows what the cost model is going to be in the future. may see some new kinds of costs #ivotecan

A (Tom): new costs = auditors, consultants, security experts - could be very expensive #ivotecan

A (Tom): most people in elections systems are not experts in electronic systems / security design - maybe they need to be #ivotecan

A (Tarvi): in Estonia Internet voting was challenged about uniformity of voting #ivotecan

A (Tarvi): ruling was that multiple times to vote over-rides privacy concerns (not sure I understand his answer) #ivotecan

A (Alex): groups in Geneva were strongly opposed to Internet voting (computer security experts) #ivotecan

A (Alex): in Geneva they engaged in a dialogue with the computer security experts #ivotecan
http://www.e-voting.cc/ - Internet voting conference, models #ivotecan

A: an argument against Internet voting - voting in person is a communal experience #ivotecan

Editorial comment: first mention today of compulsory voting as a direction for turnout and
engagement #ivotecan

audience comment: 8 million voters in Ontario, 800000 will be voting "electronically" - "it's happening" #ivotecan

I think it's the Intelivote guy: cost savings of electronic voting #ivotecan

aaaand we're done #ivotecan

@jasonkitcat I didn't get a strong sense of a driver other than "seems like a good thing to try"

@punditsguide good to meet you as well

END TWEETS

Labels: elections canada, internet voting, ivotecan

I liked that the municipalities, particular Halifax Regional (HRM) talked about a risk mitigation framework, but I don't think they fully appreciate the degree of risk they're accepting, particularly since they're using third-party technology from private companies.

I was most impressed with Tarvi Martens' presentation about the technical details of the Estonian Internet voting system. They have clearly thought very seriously about the various issues involved, and have very very heavy physical security for the data centre, and no remote admin access outside the datacentre. He also emphasized they had a principle of "no black box systems" in the data centre, so they use Debian, an open source operating system, rather than Windows. The fact they have a national ID card addresses the key distribution and network encryption issues (because the ID card includes an encryption key, a public/private digital signature key). They also put ISPs on high alert during the election period and monitor continuously for attacks.

I did ask him the security of the user's desktop and his answer was reasonable but to me, ultimately still unsatisfactory. They are using what I assume are honeypot systems to monitor for emerging trojans that pretend to be some component of the desktop voting system (or presumably the ecard reader driver etc.) They also have as the first step of their voting procedure that the user should ensure their system is scanned for viruses. However there are multiple issues including the innumerable vectors for home system attack, the fact that most users WON'T secure or scan their systems no matter how often you educate them about the issue, and the possibility for root kit or other subtle elusive trojans that might not be picked up by their honeypots.

He did say, which I think is an important contingency measure, that in the event they did detect a widespread trojan attack they have the possibility to simply shut down Internet voting and tell people to vote on paper on their regular voting day (Sunday).

The other thing I heard from multiple speakers is that Internet voting is not having substantial impact on turnout. What it is doing is making it more convenient... for people who would have already voted.

Labels: elections canada, internet voting, ivotecan

In case you're new to the blog, the Blogger navigation is not all that great, but if you're on the blog (rather than reading through RSS) you can use the search in the upper left, or browse the archives listed a ways down on the right hand side. The archives stretch back to February 2004; this is not a new blog.

Labels: meta

Liveblogging Internet Voting event at @papervote under hashtag #ivotecan

UPDATE: Have exceeded the status update limit for @papervote (!) - already just for the first session. Have moved to liveblogging on FriendFeed at http://friendfeed.com/electronic-voting-in-canada

Labels: elections canada, internet voting, ivotecan

I have looked at the materials provided for the Internet Voting event on January 26, 2010 and there are no participant biographies, so here is whatever I can find. I am listed academic credentials where available not because I think everyone needs to be a computer scientist trained in security to fully understand the issues, but because at least SOME of the people involved need to be computer & network security experts. I am also indicating corporate affiliations because no reasonable person can argue that a corporation providing Internet voting technology is going to do anything but present (through its spokespeople) every possible positive argument FOR Internet voting technology.

This is simply an analysis of the players from a computer security standpoint. Three main points are examined:
1. What is their academic background in computer security
2. What are their stated positions about Internet voting or, in the absence of statements, what is their corporation's position on Internet voting
3. If they are providing Internet voting technology, what information is publically available about the security analysis for these systems? It is incumbent for all voting technology providers to address all realistic threats to their systems in an open manner. There is no security through obscurity. A failure to do so shows an unseriousness about security.

I also want to make a key point: elections do not hinge on voter perceptions of security and convenience. Elections hinge on ACTUAL security. Asking members of the public if they think Internet voting is secure enough or if they are comfortable voting online or if it is convenient to vote online does not mean, in any way whatsoever, that the actual vote is ACTUALLY SECURE.

If citizens perceive a bank as (financially) safe but government regulation actually creates a situation where the bank fails (as has happened repeatedly in the United States), then it is clear the citizen perception was meaningless, what was important was the government failure to actually deliver an appropriate level of ACTUAL security.

And again, even if the system was actually secure, which is somewhere between highly unlikely and impossible, it still doesn't mean the system meets necessary requirements for a functioning democracy.

The Players:

* Michael Alvarez, California Institute of Technology (Caltech)
- Dr. Alvarez is a Professor of Political Science at Caltech and Co-Director of the Caltech/MIT Voting Technology Project. His BA, MA and PhD are in Political Science.
- info from CalTech site

The mission of the Voting Technology Project is, not surprisingly, around technology: "All of this research and policymaking activity seeks to develop better voting technologies, to improve election administration, and to deepen scientific research in these areas."

It is important to remember that US elections are much more complicated than Canadian elections, with many more candidates running for many more positions, in addition to (in many states), multiple complicated ballot initiatives (direct democracy issues to be voted upon).

* Kimberley Kitteringham, Town Clerk, Town of Markham
- reported in media as advocating Internet voting

"We definitely think our early voting turnout was a direct result of the increase participation of people in the online voting process because online voting, from our staff and post-election survey, engages the voter that has been typically apathetic or difficult to reach. It offers a convenient solution for them because they can do it from anywhere in the world," Ms Kitteringham said.

yorkregion.com - Internet gateway to election reforms in Vaughan - September 30, 2009

* Andrew Brouwer, Deputy Town Clerk, Town of Markham
- Bachelor of Environmental Studies , Urban and Regional Planning; Master of Public Administration , Local Government Program (from LinkedIn profile)

* Cathy Mellett, Acting Clerk/Manager, Halifax Regional Municipality
- reported in media as advocating Internet voting

"We had people vote from Sri Lanka, from Korea, from over 50 Canadian cities and 25 American states," said Cathy Mellett, e-voting project manager for the Halifax Regional Municipality.

"That's really been the objective from the very beginning, it's about getting voters accessible and participating in the overall election here in the HRM."

Mellett said there were no serious glitches in the system during the voting period.

CBC News - 10% of HRM voters cast e-ballots - October 7, 2008

* John McKinstry, Sales Manager, Dominion Voting Systems
- a company that has literally trademarked the word democracy: "Dominion Democracy™ is our comprehensive yet flexible voting suite, designed to uphold the principles and ideals of the electoral process."
- message is shaped entirely around turnout

Voter turnouts continue to fall even in the face of aggressive communications campaigns at all levels of government. One way to improve turnouts is to give the voters more voting choice; choices that reflect changing technologies. Chief among these alternative choices is remote voting. In taking voting to the voter, you remove one of the barriers to turnout.

Taking the voting booth to the voter
- according to Google search (site:www.dominionvoting.com security) entire site has exactly two mentions of security
1.

Everything before and after the ballot is hosted on computer servers. There may not even paper ballots, as is the case with Internet voting.

Dominion can host your elections on our secure servers to ensure the integrity of your election. We pride ourselves on the security and permanency of our server system.

Hosting your election
In summary: your election, hosted on a private company's servers. How do you know they are secure? Because they pride themselves on security.
2. There is a single instance of the word "security" in their document Democracy Suite EMS Edition 2007 (PDF)

To address the sensitivity of the election process from a security standpoint, the system provides role-based authentication and authorization, while all data transactions are protected for greater confidentiality and data integrity.

While it is good that the system uses authorisation to limit access, and "protection" for data transactions (whatever that means), this assumes that a) the authentication credentials have not been compromised b) the network transmission is a particularly vulnerable and interesting place to attack.

Just on the second point: HTTPS encyrption of web transactions is essentially like using an armored car to transport money between two completely unsecure endpoints, between a house with no locks on its doors and a bank vault with no lock or security system. Attackers target system weaknesses. Since the Democracy Suite uses Windows computers, isn't an attacker more likely to attack the servers themselves using known Windows vulnerabilities, than to try to intercept the data in transit? The document does not address these issues. You have to secure Internet voting systems END-TO-END, from keystroke on the desktop to calculated results on the datacentre servers. This is impossible to do with anything approaching a high level of security (a high level of risk mitigation) for an election threat model.

* Alexander Trechsel, European University Institute, Florence
- Professor of Political Science and the first full-time holder of the Swiss Chair in Federalism and Democracy at the European University Institute (EUI) in Florence, Italy.
- info from EUI site
- PhD in Political Science (from LinkedIn profile)

* Tarvi Martens, Development Director, Certification Centre, Estonia
- MSc IT, Tallinna Tehnikaülikool (from LinkedIn profile)
- Program Manager for Internet Voting at Estonian National Electoral Committee (currently)
- Development Director at SK (currently)
- SK is a company that provides "provision of different certificates to physical persons and organisations. Currently, the largest project handled by SK involves issuing authentication and digital signature certificates to Estonian ID cards." - http://www.sk.ee/pages.php/0203
That is, SK is a private company in the business of providing certification technology.

* Urs Gasser, Harvard University
- Dr. Urs Gasser is the Berkman Center for Internet & Society's Executive Director.
- graduate of the University of St. Gallen (S.J.D. 2001, J.D. 1997) and Harvard Law School (LL.M. 2003) (Note: these are all law degrees)
- info from Berkman Center site

* Tom Hawthorn, The Electoral Commission

Remote electronic voting via the internet and telephone was once the future of British elections. But trials held in the 2003 local elections found it made little difference to turn-out and raised concerns about security, privacy and transparency.

Tom Hawthorn, electoral modernisation manager for the Electoral Commission, says that remote e-voting is unlikely this decade, although he believes the idea may return. "In the short- to medium-term, there's things about the existing voting system - voting stations and postal ballots - which can be improved," he says.

guardian.co.uk - Voting searches for the x-factor - Nov 23, 2005
- 2006 presentation "What voters expect from a voting system" indicates high degree of concern about "my vote being private" and "my vote being safe from fraud and abuse" (in terms of percentages these are the top two concerns expressed)

* Adam Froman, President, Delvinia Interactive
- corporation that promotes Internet voting
- "Internet voting made a positive impact on the election results." from blurb on page for their report "Understanding the Digital Voter Experience"

* Dean Smith, President, Intelivote Systems Inc.
- corporation that provides Internet voting
- eight results for site search on "security" (site:www.intelivote.com security)

* Jason Gallagher, Open Source Software Developer
- I don't actually know who this is. The most likely match appears to be: "Lead Open Source Software Developer for McMaster University, Dept. of Family Medicine" (from PCHRI 2006 participants)

* Peter Wolf, International Institute for Democracy and Electoral Assistance (IDEA), Stockholm
- MSc., GraZ University of Technology (from IDEA site)

I welcome corrections and clarifications and I will update this posting if more information becomes available.

Labels: canada, elections canada, internet voting, ivotecan

If I can, I will be tweeting the Internet Voting Dialogue on January 26, 2010 from

http://twitter.com/papervote

No hashtag has been declared that I can find. I'm proposing #ivotecan

For electronic voting in Canada in general I have been using hashtag #evotecan

and there's an aggregator / discussion group on FriendFeed: Electronic Voting Canada.

Labels: elections canada, internet voting, twitter

Very worrying.

The Canada-Europe Transatlantic Dialogue (Strategic Knowledge Cluster)

Internet Voting: What Can Canada Learn?

This workshop brings together practitioners and scholars to explore issues involved in the development of Internet voting. Speakers include experts from various jurisdictions where Internet voting has been used, and prominent researchers who have studied models of Internet voting. Speakers will detail the development of Internet voting in Canada at the municipal level by examining the cases of Markham, Peterborough and Halifax, and in Europe nationally and sub-nationally by exploring the experiences of Estonia, Switzerland and the United Kingdom. The workshop will consider rationales for the implementation of Internet voting, various features and models of its application, advantages and disadvantages, public acceptance, effects on accessibility and voter turnout, and security issues. Experts will share advice regarding technical considerations such as cost, legal requirements, software and security.

NOTE: The registration deadline was JANUARY 21, 2010. Here's the (somewhat difficult to find) registration link: http://www.zoomerang.com/Survey/WEB229ZQUQUZMT

UPDATE 2010-01-25: I just realised I forgot to include a link to the event itself. Here is the Elections Canada link - Elections Canada: Media: Special Events and Conferences: Internet Voting and the Carleton link - Canada-Europe Transatlantic Dialogue (CETD) Events: Internet Voting. ENDUPDATE

Look at the issues they're examining:
* cost
* legal requirements
* software
* security

Let's revisit what I have called the "Democracy Requirements" for voting:
* preserving the secret ballot
* retaining the right to an uncoerced vote
* the integrity and accuracy of the vote count (all votes gathered and correctly counted)
* the simplicity of the system (can voters understand how the entire voting system works?)

Do you see the problem? They're talking about voting, but as usual, they're talking about it as if it were any other government "service" that is "delivered", rather than the single foundational element of our democratic society. This is what they always do, focus on the technology rather than the actual requirements for the integrity of the vote.

I can guarantee what the Internet voting presenters will discuss is three main things: convenience, turnout, and security. They will make a bunch of abstract claims about encryption and secure networks that will sound good but that, if you are an actual computer security expert, are actually nonsense.

You CANNOT, as in impossible:
* use technological security to ensure perfect end-to-end chain of custody for Internet voting
* construct a system in which the ballot is actually secret and anonymous

While it is true that there are theoretical computer constructs that can accomplish this, they run on theoretical computers over theoretical networks to theoretical servers. They do not run on Windows 7 computers on an ISP Internet connection to a bunch of servers in an actual datacentre.

Just think of the thousands, probably millions of phishing attempts every day, and the large number of these attempts that are successful. Just think of the recent security attacks on Google. Just think of the endless litany of lost passwords, lost user accounts, compromised commercial organisations. The home computer and the public Internet is one of the LEAST SECURE possible places I can imagine to hold an election.

Just off the top of my head I can list numerous possible compromises:
* if the password is sent in the physical mail, requiring at most some publically-discoverable extra piece of information (e.g. the user's birthdate), then I can attack the password distribution, in the same way that people steal credit cards and identities
* if it's not sent by mail, how do you solve the huge problem of secure key distribution to 30 million people? (secure key distribution is one of the single hardest problems in computer security)
* If your machine is already on a botnet, and millions of compromised machines already are, I have basically unlimited freedom to alter and compromise the election. I can watch your keystrokes and record who you voted for. I can watch your keystrokes and then, behind the scenes, CHANGE who you voted for. I can decide I don't like the parties running and use my botnet to attack the election servers (if you say "well, the datacentre can just block the attack" - yes, but the attackers are CITIZEN COMPUTERS)
* I can skip the end user and compromise the physical security of the data centre. And/or I can insert code into the servers that counts whatever votes for whatever candidates I want.

Even if the security is done well, there are insurmountable issues.
But even worse, the security is almost never done well. Because it is about cost, it goes often to the lowest bidder. Do you seriously want your entire election run by some private company that was the lowest bidder? Or consultants for Elections Canada that gave the best price? What "best price" means is, as was shown repeatedly for Diebold, the elections technology provider takes off-the-shelf technology (how could they not, and still provide the lowest cost), hacks together some amateurish backend with a somewhat pretty frontend, and then serves that up as a secure elections solution, leaving NOT ONLY all the security issues with e.g. running on Windows, but introducing ADDITIONAL security issues with code that is almost always woefully insecure, badly designed, and not available for review by outside computer security experts.

And even if, by some miracle, none of these things happens, ok we run an election.
It ends like the 1995 Quebec Referendum, 50.58% "No" to 49.42% "Yes" (note: elections are razor close ALL THE TIME).
So you say, all settled then, 50.58% "No".
And I say: PROVE the computers, the Internet, and the data centre were not compromised. PROVE the votes were not coerced. PROVE that it was actually Canadians voting, once, and not stolen accounts anywhere in the world voting multiple times.

You cannot prove this. Goodbye decisive elections. Hello endless battles.
Do you think this is abstract? There was ALREADY a fiasco with electronic voting machines in Quebec, which as terrible as they are, are at least in observable physical space. It was so bad, they had to investigate it, and:

On October 24, 2006 the Chief Electoral Officer of Quebec released a report (in French only) "Report on the Evaluation of New Methods of Voting" (Rapport d'évaluation des nouveaux mécanismes de votation). In a press release, three root causes of problems with electronic voting machines in the 2005 municipal elections were identified:

* an imprecise legislative and administrative framework
* absence of technical specifications, norms and standards
* poor management of voting systems (especially lack of security measures)

He recommended that the current moratorium on the use of these systems be maintained, and leaves it up to the provincial legislature to decide whether or not to use electronic voting in future.

Labels: canada, elections canada, internet voting