Sunday, October 16, 2016

Nathan Cullen on online voting

Nathan Cullen spoke about the NDP's report on its electoral reform consultations.  You can watch on CPAC video.  The segment about online voting runs from 16:20 to 16:50 in "Voting Reform: News Conference - Nathan Cullen".
Let me take a couple of other things that I've had my mind changed on.  Going into this process I was quite enthusiastic about online voting - I thought you know, Canadians bank online, shop online, some date online, why not vote online?  The testimony we've gotten back from experts in the information technology field has put a chill on the committee, if I... - I don't want to speak for the whole committee, but - we've had many conversations about it, the testimony's been devastating towards the idea of online, just on security levels, not so much on access.
(Manual transcript by me from the video.)

Labels: , , ,

Friday, October 14, 2016

ERRE Electoral Reform Committee - MP reports, Briefs, Witnesses, Meetings

The ERRE Special Committee on Electoral Reform has a page that has MP reports ("Members Reports"), Briefs submitted by Canadians, a list of Witnesses including direct links to their testimony (click on the microphone icon), and Meetings.

It's a very useful page, but unfortunately kind of buried unless you know about it.

You can find it at


Labels: ,

Thursday, October 06, 2016

Brief submitted to Special Committee on Electoral Reform - October 2016

I have submitted my brief to the committee, it's a 9-page document that comes in just under 3000 words.  I wanted to include more references but I ran out of space.

You can find the PDF at


Where you can download by clicking on the down arrow in the upper right of the screen.

Or you can see the embedded version below.

Labels: , ,

Sunday, October 02, 2016

ERRE Presentation - Internet Voting: Making Elections Hackable - Dr. Barbara Simons

Presentation by Dr. Barbara Simons to Canadian ERRE Special Committee on Electoral Reform, meeting 32, panel 3, in Vancouver on September 28, 2016.  Provided by permission of Dr. Simons.

Audio is available from ParlVu.  Panel 3 with Dr. Simons starts at 21:31:25.
Her presentation begins at 21:33:25 and ends at 21:39:32.  The panel ends at 22:54:50.

I tried to use the built-in download-and-clip tool to get a segment of the audio but it didn't work for me.

UPDATE 2016-10-18:


Transcript of Dr. Simons' presentaton (from OpenParliament.ca)

Thank you for the opportunity to speak with you today about a critical issue: the fundamental insecurity of all currently available Internet voting systems. If this were a medical hearing to determine whether to approve a new drug for human consumption, safety would be paramount. A drug that is likely to result in serious injury to patients would be rejected, no matter how many people wanted to use it. Internet voting is like a drug we are considering for the country.

If there is even a small chance that Internet voting might result in our elections being hacked, it doesn't matter how many people want it. If Internet voting puts our elections at risk—and it does—we must reject it until such time as it can be proven secure.

I have brought copies of the “Computer Technologists' Statement on Internet Voting”, which unfortunately hasn't been translated, so I guess I can't distribute them, but they will be made available later and I could address the recommendations made in that statement during the question period. It was signed by prominent computer science researchers from major universities throughout the United States. I think it's a fair statement to say that computer security experts are basically in total agreement that we should not have Internet voting at this time, anywhere.

The title of my talk is, “Internet Voting: Making Elections Hackable”. As you know, there are five principles for this hearing, one of which is integrity. Australia did an assessment of Internet voting and there's a quote from the Honourable Tony Smith, who was chair of the joint standing committee on electoral matters in Australia, which says, “it is clear to me...that Australia is not in a position to introduce any large-scale system of electronic voting in the near future without catastrophically compromising our electoral integrity.”

Those of you who have copies of my slides see that the next slide has a list of a large number of sites that have been hacked, starting with Yahoo, where half a billion users' accounts were hacked into, and that includes a lot of Canadians. It also includes, in Canada, the Department of Finance, the Treasury Board Secretariat, Defence Research and Development Canada, the National Research Council, The Ottawa Hospital, and the University of Calgary. In the United States it includes the Democratic National Committee, as I'm sure you've heard, the Office of Personnel Management, the Pentagon emails, the FBI, the White House, the U.S. State Department, Google, AOL, Symantec, and so on and so forth.

A question that I hope this committee will ask itself is, what will happen if we take up Internet voting in this country, and months after a government is seated it is discovered that the election has been hacked? This is not an unrealistic scenario. The Yahoo breach started in 2014 and it was just uncovered. The Democratic National Committee breach occurred months before it was discovered. It typically takes months to discover a breach after it has occurred. You can replace money that's stolen from online bank accounts—and by the way, millions and millions of dollars are stolen annually from online bank accounts—but you cannot replace votes.

Toronto did a security analysis of three systems that were submitted there for consideration. The conclusion of the security analysis was that no proposal provides adequate protection against the risks inherent in Internet voting. Their recommendation was that the city not proceed with Internet voting in upcoming municipal elections.

Quebec has had a moratorium on electronic voting since 2005.

British Columbia had a panel that investigated Internet voting. Their conclusion was, first of all, non-voters usually don't vote over the Internet. It's used primarily as a tool for voters who have already decided to vote, mostly middle-age voters. It's least popular among young people, and that reflects traditional voter turnout. Their recommendation is to not implement Internet voting for either local or provincial government elections at this time.

Estonia is often brought up as an example of a country that has successfully conducted Internet voting. Most people don't know that in 2014, an independent group of international experts performed a security evaluation of the Estonian system. They found that it's vulnerable to state-level attackers who could compromise the secret ballot, disrupt elections, or cast doubt on the fairness of the results, and it is vulnerable to a range of attacks, including vote-stealing malware on the voter's machine, and they recommended that Internet voting be halted. Unfortunately, in Estonia, it has not been.

Basically, Washington, D.C., was considering Internet voting for real elections in the 2010 mid-term. They opened it up two weeks beforehand to allow anyone from anywhere to try to hack into the system. This is the only time this has been done. Two weeks before, it was taken over within 36 hours by a team from the University of Michigan. They could change already cast and future ballots, and they could reveal the voters' secret ballots. They installed the University of Michigan fight song as their calling card, so it would start playing 15 seconds after voting in this sample election, which was quite interesting for those of us who didn't know they had broken in. They also discovered probes coming from China and Iran, and they protected the system from these probes.

I don't think that China and Iran were actually trying to break into a pilot system. It wasn't a real election; it was a toy election. But these probes are always on the Internet, and they are always trying to break in. As I said, no other vendor has allowed such a test because, I believe, they know that their systems would be vulnerable. In fact, the only kind of real-life test you can do is to let anyone from anywhere try to break in, because that's what reality is.

Thank you.


Q - Gérard Deltell:  Madam Simons, if we change the way we elect our people, we are open to discussion, but at the end of the day, the people shall decide by a referendum. It's not up to parties and politicians because we are in a conflict of interest with regard to the decision.

What do you think about that?

A - Barbara Simons:  I think that a referendum may be fine for certain issues, but when it's a heavily technological issue like Internet voting, you really need to listen to the experts. In fact, when I first heard about Internet voting, I thought it was a great idea. I really wanted to do it, and most of my colleagues—almost all of us are geeks, I should say. Notice that I'm here with this. I mean, I live on a computer. I spend all day long on the computer. I love my computer. But I don't want to vote on my computer, not in a major election.

Look at what's happening in the United States right now, where the Democratic Party is terrified that the election is going to be rigged by Russia. Now, I'm not saying that's going to happen, but the very fact that people are even contemplating that idea is very disturbing.

I was in Estonia a few years ago, at the invitation of the Estonian Centre Party, which is the second-largest party in Estonia, and remember, as I said in my talk, people hold up Estonia as the model of Internet voting in a country.

They invited me there because they are convinced that their elections are being rigged. They are the second-largest party, and if you look at who votes over the Internet, members of their party do not.... At least they don't get votes over the Internet very much. Most of their votes come from paper ballots, because Estonia has both paper ballots and Internet voting. They wanted me to go there and tell them that the election was rigged. I couldn't do that, because there's no way to know.

That's one of the terrifying things of Internet voting. You could have malware, election-rigging malware, on the voter's machine which could change the vote before it goes out over the Internet. What you see on your screen is not necessarily what goes out, because there are different components in a computer. It could change what goes out and the voter would never know.

That means that when you get the electronic ballots at the other end, these bits, you cannot know if they accurately represent the will of the voters, and therefore, you cannot do a recount. I could not therefore tell members of the Estonian Centre Party that the election was rigged, nor could I tell them that it was not rigged.

I think that is a very unhealthy situation for a democracy.

Q - Gabriel Ste-Marie: I am going to start by addressing you, Ms. Simons.

Thank you for coming and warning us against electronic voting. The points you raised are disturbing. As you said, in the American election campaign, Russian computer scientists got hold of emails belonging to the woman who is a candidate for the office of president of the United States. In Canada, it would be unthinkable to realize, a year or two after an election, that the entire thing had been tampered with by foreign interests and that this had even put, who knows, the Bloc Québécois in power. That would be hard to believe, but in any event, we have to be careful.

What is good about our system is that we have a little piece of paper and a little pencil, we mark an X and we put the paper in the box, so it can be counted and examined.

I have a concern about electronic voting. The fact that the person voting would not be alone in a booth concerns me. We could have vote-buying, negative influence, fear, and so on. In your eyes, do these factors also amount to obstacles to electronic voting?

A - Barbara Simons: I think when you talk about the person not being alone with Internet voting, that's an issue for any kind of remote voting. It's the same for voting by mail. With Internet voting, you have to worry about voter coercion and vote buying and selling. That's of concern to me. I think remote voting should be held to a minimum. There are people who have to do it because they are not well, or they are away and they have to vote remotely, but generally speaking, it shouldn't be, as it is in many parts of the United States, made available to everybody. My experience in Canada is that it isn't made available to everybody. It's not that easy, and I think that's a good thing.

You talked about the paper ballots. I was a poll worker in a provincial election here, and I thought the way the election was run was wonderful. I've also worked on an election in the United States, and believe me, it's done much better in Canada. It really is.

One of the things that's nice about the way it's done in Canada is that when the election was over, we all tabulated the ballots. There were all these rules. They had to come out right. There was a lot of double-checking and triple-checking, and nobody could leave until it all worked. There was one table that hadn't quite...they were off by one, and the rest of us were hungry, but we couldn't leave until they finally worked it out. I thought it was wonderful.

Another thing I hope you will keep in mind when you think about moving to another form of voting is whether you can retain this spirit, this counting locally, and this being able to check locally and have observers from all the parties who can look at what's going on. If you move to a complicated form of voting, then you're going to have to use computers, and you won't be able to see what's going on inside the computers. You'll be dependent on the software, which could have software bugs or it could have malware.

Q - John Aldag: Dr. Simons, I want to start the questioning with you.

I found the information you provided fascinating. As Mr. Cullen had noted when we started, it seemed that online voting could be a solution to a lot of our problems, including accessibility. You've just taken that and thrown it in the trash can for me. It causes me some concern. Is there any hope for any application down the road?

One of the things we've been asked to look at is increasing accessibility and voter participation. I know from my own experience during my first election in October, I did have people who were unable to make it to the polling booth, and Elections Canada did some great work to make their votes accessible. I thought there could be some great opportunities for those who are homebound dealing with disabilities.

Then we had a witness from the Canadian National Institute for the Blind who spoke with us more recently. Her testimony really touched me. She talked about never having been able to have a secret ballot. One of the many messages I got from her is that many persons with disabilities, particularly visual disabilities, have technology that they work with at home that uses oral prompts and other things to help them. I thought maybe we need to go with a limited-reach online voting. We heard that from our Chief Electoral Officer, to maybe go small and do some test populations.

Until you spoke, I was hoping that we could convince Elections Canada to start with a population such as those with sight disabilities and pilot something, but with what you're saying, the risks are so high.

Would you advise us and direct us away from even going that far, because of the vulnerabilities?

A - Barbara Simons: There are safer alternatives.

In the United States there's been a lot of concern about voters in the military overseas, because it takes a long time, and about people with disabilities. What's done there, and I think this could be done in Canada, is that you can make the blank ballot available online. In the U.S. for military voters, by law it's made available at least 45 days in advance of the election. They download the ballot, print it out, fill it out, and mail it in.

Now, with voters with disabilities, you could download the ballot onto the computer, and they could use their tools to vote. One thing you need to be careful about is that when that happens, you don't want their computer communicating with the main server, because that's basically Internet voting again, and you have lots of issues, such as the secret ballot. But they can download it onto their computer, disconnect from the Internet, and then fill it out locally so that they can take advantage of the tools they have. A blind voter can fill it out, print it out, and then mail it in by postal mail. Again, they can use the tools, and if it's done enough in advance, they don't have to worry about the time for the postal mail.

Q - John Aldag: It's a wonderful suggestion, very practical.

What else have you encountered in this area of research that you can get to us while we have access to your expertise, before the chair cuts me off? Are there any other gems you can give us that will help us reach out to some of these populations that have been disenfranchised from our voting system?

A - Barbara Simons:  know there's been concern among first nations. I've heard some testimony in another event where a first nation person was strongly advocating for Internet voting.

Again, I think it does a disservice to voters with disabilities, to first nations, to anybody, to provide them with a tool that is fundamentally insecure. We owe it to them when we provide them with alternatives to make sure those alternatives are secure.

That would be my recommendation.

Comment - Scott Reid: I don't have any questions for you, Dr. Simons, and that's because you've resolved matters in my mind. I'm now firmly committed to not moving to electronic voting. In fact, I'm completely paranoid. That was very convincing.

Q - Sherry Romanado: Dr. Simons, like my colleagues, I have to say that if we weren't already unsure about Internet voting, your testimony this evening scared some of us. I'll add to this, so please forgive my little sidebar.

In addition to sitting on the committee for electoral reform, I also sit on the Standing Committee on National Defence. We've just completed part of a study on the defence of North America, specifically on aerial readiness. We spent some time at NORAD during this study, where we heard about the emerging threats, conventional and asymmetrical attacks, and specifically, cyber-threats and cyber-attacks here in Canada.

You brought up a point that I hadn't thought of. We heard that there was an increase in the potential for cyber-attacks in Canada, and in fact Canada is now looking at a consultation to upgrade our national cybersecurity policy. You mentioned the actual machines to do the count, and I thought that was interesting, because I had only heard about the e-voting or online voting. You mentioned that whatever system we decide to put into place, if there are requirements for algorithms or calculations coming out of whatever we choose, those are also susceptible to cyber-attack.

For instance, it's simple to count the ballots—and I think most of us have volunteered at elections where you get to count the ballots—but if we actually have a system where we have to run these ballots or votes through a machine for it to then do the calculations, whether it be a proportional system or whatever system we choose, those too are susceptible to attack.

Could you elaborate a bit on that? I hadn't thought of that portion.

A - Barbara Simons: By the way, before I do that, here's one other thing to help make you more paranoid with regard to Internet voting. Think about ransomware and how that could be applied to Internet voting.

Getting back to your question, in terms of being subject to cyber-attack, that would depend on whether or not it has access to the Internet. I'm not saying that introducing computers into the election process necessarily would make them vulnerable to cyber-attack. What I'm saying is that when you bring in the computers, you are dependent on the computers. You're dependent on the algorithm for counting the votes.

In the case of some of these systems, that can be complicated. You have to be careful that the algorithm is correct, that the code was written correctly, and that no bad person has gotten their hands on those machines and changed the software to rig the election in some way. You can't really open up the machine and look at it the way you can pieces of paper. You just have to be more careful. There are risks whenever you introduce computers into the system.

It's kind of funny, because the people who are raising the alarm, by and large, are the computer scientists, and when I first started this, we were being told by people who really didn't know anything about computers that we were Luddites to talk about these issues.

I'm just counselling you that if we move to a very complicated system that can't be tabulated manually, it means that computers will have to come in. That means that in some sense we're going to be outsourcing the election to the vendors. Even if it's homegrown software, you still are dependent on the people who write the software and on the algorithms being correct. You introduce an element of risk, and you also don't have the transparency that our elections currently have, and I think that transparency is really a wonderful thing.

There are other forms of voting that aren't first-past-the-post systems where you can manually count, so I'm not taking a position on first-past-the-post systems or not.

Q - Sherry Romanado: I wasn't asking what voting system.... I'm looking at what the possible ramifications are of using that.

Given that, you did mention our military who are serving overseas. I have two sons currently serving in the Canadian Armed Forces, so it's something that's important to me. Is there a possibility of leveraging technology, knowing the risks, to reach folks who want to be able to vote?

You mentioned the downloading of the form and filling it out and so on and so forth, but is there a possibility of leveraging technology to increase the efficiencies in how we handle our elections? Is there still something that can be done in terms of improving it?

A - Barbara Simons:  In terms of downloading, the example I gave of the United States for the military overseas—the mail is expedited and is paid for by the government—is a way of doing it without looking at more technological fixes. The government could expedite the return of the voter ballots for free. That would certainly help.

I'm reluctant to suggest having a small number of voters vote over the Internet, just because we have seen certainly in the United States and here too that sometimes a small number of voters can change an outcome. I'd hate to see even a small number of ballots being vulnerable. It's better than a large number, but—

Intervention from the Chair Francis Scarpaleggia (question session out of time): Thank you, Dr. Simons.

Q - Pat Kelly: I'll ask Dr. Simons to comment on this. Although much of the panel has been in concurrence over the non-desirability of Internet voting, nevertheless it struck me that, if online voting was merely an enabling tool to address people with mobility problems or those who are in remote areas—although we've heard from other witnesses about the challenges there—then does that take the target off an election? If we are talking about a relatively small number of votes that may be identified in some cases with geographically remote places, then does that take the target off? Is it safer if it is not the default, or is there absolutely no acceptable use or application for online voting?

A - Barbara Simons: I think there are acceptable uses for online voting for elections that don't matter much. For example, for prom queen, I don't care. I think it depends on how important you think the election is and how much of a risk you want to take. Obviously, fewer people voting over the Internet means the risk will be smaller. If the election doesn't matter, then who cares if it is risky or not?

Q - Pat Kelly: In your opinion, there's no acceptable way to do it, if you place value on the outcome of an election, which we most certainly do at this committee.

A - Barbara Simons: How much risk do you want to take?

Labels: , , , , ,

Friday, September 30, 2016

Parliamentary Committee Meeting permalinks

On the Parliament of Canada website parl.gc.ca links to committee meetings are usually given using document IDs.  The problem is that if the meeting is amended (which happens often), they are creating a new document ID, and the previous document ID doesn't redirect to the new one.  Which means a link to a meeting that worked one day may break the next day, with no explanation.  (This is an incorrect implementation; I don't know whether it is a CMS issue, or a lack of web understanding, or what.)

So here's how a link is typically provided


HOW TO make a permanent link

But it appears there is actually a permanent linking system in the background, it's just not used.  It's of format

http://www.parl.gc.ca/HousePublications/Publication.aspx?Pub=CommitteeMeetingNotice&Acronym=[4 letter committee acronym]&Mee=[meeting number]&Language=e&Mode=1&Parl=[Parliament number]&Ses=[Parliamentary session number]

e.g. for the above document ID 8451116 URL, the equivalent would be


That is to say, meeting number 34 of the ERRE Special Committee on Electoral Reform, during the 42nd Parliament, session 1.

Sunday, September 18, 2016

Electoral Reform in Canada and information about Electronic Voting and Online Voting

First I want to make it clear that I understand the public servants preparing these materials are working on a tight deadline, with a lot of information to prepare in a short period of time.  I sympathise with the challenges they face.

I believe in evidence-based decisionmaking.  Here is the fundamental problem about the current consultations (parallel Ministerial and Committee consultations) about electoral reform: they are both asking about electronic voting and online voting with no evidence provided whatsoever.  No learning materials on electronic and online voting, no backgrounder, not even any definitions.

We don't even have the very basics to agree on what it is that we're discussing, let alone to have an informed discussion.

Here's the process one is supposed to follow:

1. Go to Canada.ca/Democracy
2. Click on Learn

3. Click on "Electronic Voting and Online Voting"

Except you can't.  Because there is no section on electronic voting and online voting.  Here are the sections:

You can click all you want on any of the eleven sections provided, and out of all eleven, you will find literally a single sentence (maybe) relating to electronic voting, in Changing Canada's federal electoral system - How you vote.

Where is the evidence for the statement that introducing new technologies could pave the way for online voting?  Does "introducing new technologies at the polls" mean electronic voting machines?  What does it mean? Where is the mandate for this approach to gradually transition to online voting via electronic voting?  Where is the discussion and debate about this approach?  Well there is no evidence, no definition, no mandate and no discussion.  It just appeared out of nowhere.

Maybe we can look at the Glossary of Canadian electoral reform terms?  Well no. 
It has no definition for electronic voting

and no definition for online voting

The only other information available would involve reading the Electoral systems factsheet and for some reason clicking the Library of Parliament backgrounder, and then, having landed on a bunch of text, for some reason scrolling down page after page until you reach section 6.2 Online Voting.  Which, even if by some extraordinary degree of interest you manage to reach it, is a wildly inadequate background on online voting anyway.  There is no amount of clicking and scrolling that will get you to a backgrounder on electronic voting, for there is none.

It's worth noting in addition that the committee doesn't actually have electronic voting in its mandate, although that doesn't seem to make any difference in the fact that we're proceeding to discuss electronic voting anyway.

To Sum Up

As evidence-based decisionmaking goes, this is not a model process.

What You Can Do

If you're concerned about Canada using electronic voting machines or online voting in national elections, please participate in the consultation (deadline October 7, 2016) and make your opinion heard.

What I Did

To address the lack if information, I have written a briefing note on online voting.

I will write a briefing note on electronic voting as well, but in the meantime, you can watch Zachary Quinto explain how US electronic voting machines can be hacked, and then watch Tom Scott talk about why electronic voting is a bad idea.

Labels: , , , , ,

Thursday, September 15, 2016

Analysis of City of Hamilton 2016 Internet Voting report

The City of Hamilton has posted a report about "alternative voting" for the General Issues Committee on September 21, 2016, 9:30 AM.

(Many cities in Ontario will be producing such reports in advance of the 2018 elections.)

You can see the agenda, and the report is discussion item 8.4 Alternative Voting Options (CL16010) (City Wide).  To get a permanent download link you have to get the link from the file icon on the right, after clicking on item 8.4.

Here's the link to the report itself: http://hamilton.siretechnologies.com/sirepub/view.aspx?cabinet=published_meetings&fileid=157256 (PDF)

(You have to know how to navigate the SIRE public documents system, for which I must say Hamilton has a particularly poor implementation.)

The report is fairly typical for a city staff report, which is to say a lot of assertions without any citations.  Let's have a look starting on page 5, Internet Voting
Experts are divided as to the use of internet voting. Those in opposition site [sic.] the opportunity for attacks, viruses, lack of a ballot audit trail, or denials of service.
No.  Experts are not divided.  Find me the 50% of computer security experts who strongly endorse Internet voting.  The reality is the vast majority of computer security experts, and indeed the larger computer science expert community, is opposed to online voting until a number of extremely challenging technical requirements can be demonstrated conclusively to be resolved.  This consensus is so strong that the US Association of Computing Machinery, the largest organisation of computer scientists, has a consensus recommendation against paperless voting tabulators and against internet voting entirely.  (This in a world where it is usually difficult to get scientists to agree on many things.)
An example of a denial of service occurred at an N.D.P convention where electors were prohibited from voting due to a restrictive program put in place by an outside source.
This is awkwardly described, but it is true.  The NDP used online voting and experienced a denial of service attack.  In fact they've had technical problems in 2003[1] and in 2012[2][3][4].  It's also worth noting that they used third-party, for-profit companies for the voting.

[1] CPAC Special - NDP Federal Leadership Convention – January 25, 2003 (Part 3 of 17)
[2] Toronto Star - Internet voting carries risk as show [sic.] by NDP experience - by Michael Geist - March 31, 2012
[3] iPolitics - NDP cyber attack a warning to stay away from Internet voting: expert - by James Munson - April 14, 2012
[4] Huffington Post - NDP Denial of Service Attack

There have also been technical problems in many many other uses of telephone and online voting for political parties in Canada, which doesn't seem to stop any of them from continuing to use these flawed technologies.  Notably, there were reports of hacking in the 2014 Alberta PC leadership election.  "Police may be called in to probe the suspected hacking of the online voting system used to elect Jim Prentice as Alberta Tory party leader and premier-designate, a senior party official said Sunday."[5]

[5] Calgary Herald - Hacking of online voting - by Darcy Henton - September 8, 2014
It is perhaps not surprising that Hamilton would cite the NDP 2012 incident, as they cited the exact same incident in their 2012 report Alternative Voting Solutions for Municipal Elections (FCS12046).  In fact, the 2016 report is just a slightly updated version of the 2012 report.

These incidents cited are, however, relatively minor in the grand scheme of things.  What people should be much more concerned about is that Canadian federal government departments have been repeatedly, severely, successfully attacked.  Including departments with sophisticated technical capabilities.
An example of an attack was an internet voting program test conducted by the City of Washington, D.C. that was reprogrammed by University of Michigan students to play the Michigan fight song.
This is a good example, it was work done by J. Alex Halderman and his team of students.  You can see him report on it from 7:11 to 14:02 in the video of his USENIX Enigma 2016 talk Internet Voting: What Could Go wrong? and also read his paper about the attack and the accompanying materials

Attacking the Washington, D.C. Internet Voting System (blog post, testimony, video)
Scott Wolchok, Eric Wustrow, Dawn Isabel, and J. Alex Halderman
Proc. 16th Intl. Conference on Financial Cryptography and Data Security (FC ’12), Bonaire, February 2012

For an even more extensive overview of these kinds of vulnerabilities, read his book chapter Practical Attacks on Real-world E-voting (PDF).

Note that this is one of the very rare times that a jurisdiction has allowed a public hacking challenge.  Every time a public hacking challenge is opened, vulnerabilities are found.  Most importantly, the third-party, for-profit companies that are used in Ontario municipal Internet voting have never permitted a public hacking challenge or indeed any meaningfully extensive independent security audit.
Overall municipalities using internet are finding that although the voting on advance polls has risen significantly, the overall percentage of voters has either remained the same or showed a slight improvement in numbers.
Online voting never substantially increases turnout.  And contrary to the perception that it will increase voting by younger and disadvantaged voters, in an extensive study of Ontario's municipal online voting, Dr. Nichole Goodman finds that "The typical online voter is older, educated and wealthier."[6]

[6] Internet Voting Project - Executive Summary (PDF) - August 2016

It is also important to understand that Dr. Goodman is a social scientist, doing a survey-based analysis of satisfaction with online voting.  She is not a computer scientist and has not done an examination of the security of the voting systems.

Hamilton Pro/Con

Pro and Con taken from their report.

Pro: Possible increase in voter turnout.

There is no substantial increase in voter turnout.  In the only example of national online voting, Estonia, after 9 years of offering online voting their turnout is lower than Canada's in the last election.

Con: Ability for others to influence how an elector is to vote.

This risk, the risk of voter coercion, is a significant one and one that has nothing to do with technology, it has to do with the fact that the casting of the vote can be observed.  I devoted some time to this risk in my presentation on online voting as often overlooked.  I don't see any good way to reduce this risk for online voting.  In case you think it is minor, at any time in history when votes could be easily coerced, they were coerced.

Con: Hacking, viruses or denial of services. (Average age of a hacker is 18-22 and they do it as a challenge.)

Hacking is definitely a serious consideration.  Most significant is the fact that online voting involves casting votes from a personal computer or smartphone.  Many millions of personal computers and smartphones are already known to be compromised by various types of malicious software.  The second part is kind of funny in its misunderstanding of hackers.  Anyone can be a hacker.  By far the two most serious threats are criminal gangs, who conduct very sophisticated attacks, most recently involving ransomware[7], and countries with professional hacking teams ("nation-state attackers") who have the time, money and expertise to compromise almost any system[8].  Comparing the basement script kiddie hacker to a nation-state team of attackers is like comparing a BB gun to a bunch of missile launchers.

[7] CSO - A single ransomware network has pulled in $121 million - by Maria Korolov - September 14, 2016
[8] Information Week - Dark Reading - Nation-State Cyberthreats: Why They Hack - by Mike Walls - January 8, 2015

The threat of nation-state attackers is in fact so significant that the US has raised the possibility of classifying election technology as critical infrastructure [9], and the US Department of Homeland Security recommends against online voting, stating “We believe that online voting, especially online voting in large scale, introduces great risk into the election system by threatening voters’ expectations of confidentiality, accountability and security of their votes and provides an avenue for malicious actors to manipulate the voting results."[10]

[9] New York Times - U.S. Seeks to Protect Voting System From Cyberattacks - by Julie Hirschfeld Davis - August 3, 2016
[10] Washington Post - More than 30 states offer online voting, but experts warn it isn’t secure - by Sari Horwitz - May 17, 2016

In light of the above, I support the City of Hamilton staff recommendation, which is silent about Internet voting (i.e. does not recommend the use of Internet voting for the 2018 election).

Also note that the City of Toronto did a security analysis of Ontario municipal Internet voting options (PDF) and the report concluded that none of the systems met the security requirements (even for the limited amount of security analysis they were able to conduct on the third-party, closed-source, for-profit commercial systems).  Kudos to Toronto for hiring computer scientists to conduct an expert study.

In addition, Quebec has had a moratorium on electronic voting since a debacle with their machines in 2006, BC's Independent Panel recommended against Internet voting and when Australia did an extensive Parliamentary investigation with 20 hearings and over 200 submissions, they concluded that electronic voting would catastrophically compromise election integrity.

For vote tabulators (vote counting machines), they are acceptable if they are mark-sense paper ballot scanners.  Ideally with extensive auditing including random testing on election day, by pulling machines out of service to test them (unfortunately almost no jurisdiction actually does this). If the majority of votes is cast instead on touch screen, this is unacceptable.

August 22, 2016  City of Kitchener 2012 report on Internet Voting
June 23, 2016  City of Mississauga report on Internet Voting

Labels: , , ,

<- Older Posts - Newer Posts ->

This page is powered by Blogger. Isn't yours?