Thursday, September 15, 2016
Analysis of City of Hamilton 2016 Internet Voting report
The City of Hamilton has posted a report about "alternative voting" for the General Issues Committee on September 21, 2016, 9:30 AM.(Many cities in Ontario will be producing such reports in advance of the 2018 elections.)
You can see the agenda, and the report is discussion item 8.4 Alternative Voting Options (CL16010) (City Wide). To get a permanent download link you have to get the link from the file icon on the right, after clicking on item 8.4.
Here's the link to the report itself: http://hamilton.siretechnologies.com/sirepub/view.aspx?cabinet=published_meetings&fileid=157256 (PDF)
(You have to know how to navigate the SIRE public documents system, for which I must say Hamilton has a particularly poor implementation.)
The report is fairly typical for a city staff report, which is to say a lot of assertions without any citations. Let's have a look starting on page 5, Internet Voting
Experts are divided as to the use of internet voting. Those in opposition site [sic.] the opportunity for attacks, viruses, lack of a ballot audit trail, or denials of service.No. Experts are not divided. Find me the 50% of computer security experts who strongly endorse Internet voting. The reality is the vast majority of computer security experts, and indeed the larger computer science expert community, is opposed to online voting until a number of extremely challenging technical requirements can be demonstrated conclusively to be resolved. This consensus is so strong that the US Association of Computing Machinery, the largest organisation of computer scientists, has a consensus recommendation against paperless voting tabulators and against internet voting entirely. (This in a world where it is usually difficult to get scientists to agree on many things.)
An example of a denial of service occurred at an N.D.P convention where electors were prohibited from voting due to a restrictive program put in place by an outside source.This is awkwardly described, but it is true. The NDP used online voting and experienced a denial of service attack. In fact they've had technical problems in 2003 and in 2012. It's also worth noting that they used third-party, for-profit companies for the voting.
 CPAC Special - NDP Federal Leadership Convention – January 25, 2003 (Part 3 of 17)
 Toronto Star - Internet voting carries risk as show [sic.] by NDP experience - by Michael Geist - March 31, 2012
 iPolitics - NDP cyber attack a warning to stay away from Internet voting: expert - by James Munson - April 14, 2012
 Huffington Post - NDP Denial of Service Attack
There have also been technical problems in many many other uses of telephone and online voting for political parties in Canada, which doesn't seem to stop any of them from continuing to use these flawed technologies. Notably, there were reports of hacking in the 2014 Alberta PC leadership election. "Police may be called in to probe the suspected hacking of the online voting system used to elect Jim Prentice as Alberta Tory party leader and premier-designate, a senior party official said Sunday."
 Calgary Herald - Hacking of online voting - by Darcy Henton - September 8, 2014
It is perhaps not surprising that Hamilton would cite the NDP 2012 incident, as they cited the exact same incident in their 2012 report Alternative Voting Solutions for Municipal Elections (FCS12046). In fact, the 2016 report is just a slightly updated version of the 2012 report.
These incidents cited are, however, relatively minor in the grand scheme of things. What people should be much more concerned about is that Canadian federal government departments have been repeatedly, severely, successfully attacked. Including departments with sophisticated technical capabilities.
An example of an attack was an internet voting program test conducted by the City of Washington, D.C. that was reprogrammed by University of Michigan students to play the Michigan fight song.This is a good example, it was work done by J. Alex Halderman and his team of students. You can see him report on it from 7:11 to 14:02 in the video of his USENIX Enigma 2016 talk Internet Voting: What Could Go wrong? and also read his paper about the attack and the accompanying materials
Attacking the Washington, D.C. Internet Voting System (blog post, testimony, video)
For an even more extensive overview of these kinds of vulnerabilities, read his book chapter Practical Attacks on Real-world E-voting (PDF).Note that this is one of the very rare times that a jurisdiction has allowed a public hacking challenge. Every time a public hacking challenge is opened, vulnerabilities are found. Most importantly, the third-party, for-profit companies that are used in Ontario municipal Internet voting have never permitted a public hacking challenge or indeed any meaningfully extensive independent security audit.
Overall municipalities using internet are finding that although the voting on advance polls has risen significantly, the overall percentage of voters has either remained the same or showed a slight improvement in numbers.Online voting never substantially increases turnout. And contrary to the perception that it will increase voting by younger and disadvantaged voters, in an extensive study of Ontario's municipal online voting, Dr. Nichole Goodman finds that "The typical online voter is older, educated and wealthier."
 Internet Voting Project - Executive Summary (PDF) - August 2016
It is also important to understand that Dr. Goodman is a social scientist, doing a survey-based analysis of satisfaction with online voting. She is not a computer scientist and has not done an examination of the security of the voting systems.
Pro and Con taken from their report.Pro: Possible increase in voter turnout.
There is no substantial increase in voter turnout. In the only example of national online voting, Estonia, after 9 years of offering online voting their turnout is lower than Canada's in the last election.
Con: Ability for others to influence how an elector is to vote.
This risk, the risk of voter coercion, is a significant one and one that has nothing to do with technology, it has to do with the fact that the casting of the vote can be observed. I devoted some time to this risk in my presentation on online voting as often overlooked. I don't see any good way to reduce this risk for online voting. In case you think it is minor, at any time in history when votes could be easily coerced, they were coerced.
Con: Hacking, viruses or denial of services. (Average age of a hacker is 18-22 and they do it as a challenge.)
Hacking is definitely a serious consideration. Most significant is the fact that online voting involves casting votes from a personal computer or smartphone. Many millions of personal computers and smartphones are already known to be compromised by various types of malicious software. The second part is kind of funny in its misunderstanding of hackers. Anyone can be a hacker. By far the two most serious threats are criminal gangs, who conduct very sophisticated attacks, most recently involving ransomware, and countries with professional hacking teams ("nation-state attackers") who have the time, money and expertise to compromise almost any system. Comparing the basement script kiddie hacker to a nation-state team of attackers is like comparing a BB gun to a bunch of missile launchers.
 CSO - A single ransomware network has pulled in $121 million - by Maria Korolov - September 14, 2016
 Information Week - Dark Reading - Nation-State Cyberthreats: Why They Hack - by Mike Walls - January 8, 2015
The threat of nation-state attackers is in fact so significant that the US has raised the possibility of classifying election technology as critical infrastructure , and the US Department of Homeland Security recommends against online voting, stating “We believe that online voting, especially online voting in large scale, introduces great risk into the election system by threatening voters’ expectations of confidentiality, accountability and security of their votes and provides an avenue for malicious actors to manipulate the voting results."
 New York Times - U.S. Seeks to Protect Voting System From Cyberattacks - by Julie Hirschfeld Davis - August 3, 2016
 Washington Post - More than 30 states offer online voting, but experts warn it isn’t secure - by Sari Horwitz - May 17, 2016
In light of the above, I support the City of Hamilton staff recommendation, which is silent about Internet voting (i.e. does not recommend the use of Internet voting for the 2018 election).
Also note that the City of Toronto did a security analysis of Ontario municipal Internet voting options (PDF) and the report concluded that none of the systems met the security requirements (even for the limited amount of security analysis they were able to conduct on the third-party, closed-source, for-profit commercial systems). Kudos to Toronto for hiring computer scientists to conduct an expert study.
In addition, Quebec has had a moratorium on electronic voting since a debacle with their machines in 2006, BC's Independent Panel recommended against Internet voting and when Australia did an extensive Parliamentary investigation with 20 hearings and over 200 submissions, they concluded that electronic voting would catastrophically compromise election integrity.
For vote tabulators (vote counting machines), they are acceptable if they are mark-sense paper ballot scanners. Ideally with extensive auditing including random testing on election day, by pulling machines out of service to test them (unfortunately almost no jurisdiction actually does this). If the majority of votes is cast instead on touch screen, this is unacceptable.
August 22, 2016 City of Kitchener 2012 report on Internet Voting
June 23, 2016 City of Mississauga report on Internet Voting