Thursday, September 15, 2016

Analysis of City of Hamilton 2016 Internet Voting report

The City of Hamilton has posted a report about "alternative voting" for the General Issues Committee on September 21, 2016, 9:30 AM.

(Many cities in Ontario will be producing such reports in advance of the 2018 elections.)

You can see the agenda, and the report is discussion item 8.4 Alternative Voting Options (CL16010) (City Wide).  To get a permanent download link you have to get the link from the file icon on the right, after clicking on item 8.4.

Here's the link to the report itself: http://hamilton.siretechnologies.com/sirepub/view.aspx?cabinet=published_meetings&fileid=157256 (PDF)

(You have to know how to navigate the SIRE public documents system, for which I must say Hamilton has a particularly poor implementation.)

The report is fairly typical for a city staff report, which is to say a lot of assertions without any citations.  Let's have a look starting on page 5, Internet Voting
Experts are divided as to the use of internet voting. Those in opposition site [sic.] the opportunity for attacks, viruses, lack of a ballot audit trail, or denials of service.
No.  Experts are not divided.  Find me the 50% of computer security experts who strongly endorse Internet voting.  The reality is the vast majority of computer security experts, and indeed the larger computer science expert community, is opposed to online voting until a number of extremely challenging technical requirements can be demonstrated conclusively to be resolved.  This consensus is so strong that the US Association of Computing Machinery, the largest organisation of computer scientists, has a consensus recommendation against paperless voting tabulators and against internet voting entirely.  (This in a world where it is usually difficult to get scientists to agree on many things.)
An example of a denial of service occurred at an N.D.P convention where electors were prohibited from voting due to a restrictive program put in place by an outside source.
This is awkwardly described, but it is true.  The NDP used online voting and experienced a denial of service attack.  In fact they've had technical problems in 2003[1] and in 2012[2][3][4].  It's also worth noting that they used third-party, for-profit companies for the voting.

[1] CPAC Special - NDP Federal Leadership Convention – January 25, 2003 (Part 3 of 17)
[2] Toronto Star - Internet voting carries risk as show [sic.] by NDP experience - by Michael Geist - March 31, 2012
[3] iPolitics - NDP cyber attack a warning to stay away from Internet voting: expert - by James Munson - April 14, 2012
[4] Huffington Post - NDP Denial of Service Attack

There have also been technical problems in many many other uses of telephone and online voting for political parties in Canada, which doesn't seem to stop any of them from continuing to use these flawed technologies.  Notably, there were reports of hacking in the 2014 Alberta PC leadership election.  "Police may be called in to probe the suspected hacking of the online voting system used to elect Jim Prentice as Alberta Tory party leader and premier-designate, a senior party official said Sunday."[5]

[5] Calgary Herald - Hacking of online voting - by Darcy Henton - September 8, 2014
It is perhaps not surprising that Hamilton would cite the NDP 2012 incident, as they cited the exact same incident in their 2012 report Alternative Voting Solutions for Municipal Elections (FCS12046).  In fact, the 2016 report is just a slightly updated version of the 2012 report.

These incidents cited are, however, relatively minor in the grand scheme of things.  What people should be much more concerned about is that Canadian federal government departments have been repeatedly, severely, successfully attacked.  Including departments with sophisticated technical capabilities.
An example of an attack was an internet voting program test conducted by the City of Washington, D.C. that was reprogrammed by University of Michigan students to play the Michigan fight song.
This is a good example, it was work done by J. Alex Halderman and his team of students.  You can see him report on it from 7:11 to 14:02 in the video of his USENIX Enigma 2016 talk Internet Voting: What Could Go wrong? and also read his paper about the attack and the accompanying materials

Attacking the Washington, D.C. Internet Voting System (blog post, testimony, video)
Scott Wolchok, Eric Wustrow, Dawn Isabel, and J. Alex Halderman
Proc. 16th Intl. Conference on Financial Cryptography and Data Security (FC ’12), Bonaire, February 2012

For an even more extensive overview of these kinds of vulnerabilities, read his book chapter Practical Attacks on Real-world E-voting (PDF).

Note that this is one of the very rare times that a jurisdiction has allowed a public hacking challenge.  Every time a public hacking challenge is opened, vulnerabilities are found.  Most importantly, the third-party, for-profit companies that are used in Ontario municipal Internet voting have never permitted a public hacking challenge or indeed any meaningfully extensive independent security audit.
Overall municipalities using internet are finding that although the voting on advance polls has risen significantly, the overall percentage of voters has either remained the same or showed a slight improvement in numbers.
Online voting never substantially increases turnout.  And contrary to the perception that it will increase voting by younger and disadvantaged voters, in an extensive study of Ontario's municipal online voting, Dr. Nichole Goodman finds that "The typical online voter is older, educated and wealthier."[6]

[6] Internet Voting Project - Executive Summary (PDF) - August 2016

It is also important to understand that Dr. Goodman is a social scientist, doing a survey-based analysis of satisfaction with online voting.  She is not a computer scientist and has not done an examination of the security of the voting systems.

Hamilton Pro/Con

Pro and Con taken from their report.

Pro: Possible increase in voter turnout.

There is no substantial increase in voter turnout.  In the only example of national online voting, Estonia, after 9 years of offering online voting their turnout is lower than Canada's in the last election.

Con: Ability for others to influence how an elector is to vote.

This risk, the risk of voter coercion, is a significant one and one that has nothing to do with technology, it has to do with the fact that the casting of the vote can be observed.  I devoted some time to this risk in my presentation on online voting as often overlooked.  I don't see any good way to reduce this risk for online voting.  In case you think it is minor, at any time in history when votes could be easily coerced, they were coerced.

Con: Hacking, viruses or denial of services. (Average age of a hacker is 18-22 and they do it as a challenge.)

Hacking is definitely a serious consideration.  Most significant is the fact that online voting involves casting votes from a personal computer or smartphone.  Many millions of personal computers and smartphones are already known to be compromised by various types of malicious software.  The second part is kind of funny in its misunderstanding of hackers.  Anyone can be a hacker.  By far the two most serious threats are criminal gangs, who conduct very sophisticated attacks, most recently involving ransomware[7], and countries with professional hacking teams ("nation-state attackers") who have the time, money and expertise to compromise almost any system[8].  Comparing the basement script kiddie hacker to a nation-state team of attackers is like comparing a BB gun to a bunch of missile launchers.

[7] CSO - A single ransomware network has pulled in $121 million - by Maria Korolov - September 14, 2016
[8] Information Week - Dark Reading - Nation-State Cyberthreats: Why They Hack - by Mike Walls - January 8, 2015

The threat of nation-state attackers is in fact so significant that the US has raised the possibility of classifying election technology as critical infrastructure [9], and the US Department of Homeland Security recommends against online voting, stating “We believe that online voting, especially online voting in large scale, introduces great risk into the election system by threatening voters’ expectations of confidentiality, accountability and security of their votes and provides an avenue for malicious actors to manipulate the voting results."[10]

[9] New York Times - U.S. Seeks to Protect Voting System From Cyberattacks - by Julie Hirschfeld Davis - August 3, 2016
[10] Washington Post - More than 30 states offer online voting, but experts warn it isn’t secure - by Sari Horwitz - May 17, 2016

In light of the above, I support the City of Hamilton staff recommendation, which is silent about Internet voting (i.e. does not recommend the use of Internet voting for the 2018 election).

Also note that the City of Toronto did a security analysis of Ontario municipal Internet voting options (PDF) and the report concluded that none of the systems met the security requirements (even for the limited amount of security analysis they were able to conduct on the third-party, closed-source, for-profit commercial systems).  Kudos to Toronto for hiring computer scientists to conduct an expert study.

In addition, Quebec has had a moratorium on electronic voting since a debacle with their machines in 2006, BC's Independent Panel recommended against Internet voting and when Australia did an extensive Parliamentary investigation with 20 hearings and over 200 submissions, they concluded that electronic voting would catastrophically compromise election integrity.

For vote tabulators (vote counting machines), they are acceptable if they are mark-sense paper ballot scanners.  Ideally with extensive auditing including random testing on election day, by pulling machines out of service to test them (unfortunately almost no jurisdiction actually does this). If the majority of votes is cast instead on touch screen, this is unacceptable.

August 22, 2016  City of Kitchener 2012 report on Internet Voting
June 23, 2016  City of Mississauga report on Internet Voting

Labels: , , ,

Monday, September 12, 2016

Ottawa - Sept 15, 2016 - Electoral Reform consult with Minister Monsef

The Federal electoral reform community dialogue tour with the  Honourable Maryam Monsef, Minister of Democratic Institutions will be doing its Ottawa / Gatineau / National Capital Region (NCR) event on Thursday September 15, 2016 at 7pm in Gatineau.

Crowne Plaza Gatineau
Salon des Nations
2 Montcalm Street
Gatineau, Quebec (sector Hull)

The discussion will include online voting, for which I have written an online voting backgrounder as the consultation itself does not provide any detailed information.

This Ministerial consultation is a separate process from the Special Committee on Electoral Reform (ERRE) consultations, and associated MP consultations, and possible citizen consultations, which are also taking place across the country at the same time.

In theory you're supposed to know that the committee hashtag is #ERRE, whereas the Ministerial consultations have the hashtag #EngagedInER and tweet from @CdnDemocracy, but in practice I'm guessing many people are not aware of the distinction.  Plus which people are also using the hashtag #electoralreform.

In brief, the Ministerial consultations provide feedback to the Minister directly, while the Special Committee (ERRE) consultations feed into a report with recommendations that the Minister will consider (the Minister is of course free to decide not to accept certain committee recommendations).

Labels: , , , , , , , , ,

Sunday, September 11, 2016

Electoral reform consultations discussing electronic voting in addition to online voting

I'm going to assume that this is just an unfortunate misunderstanding about terminology and mandate.

Online voting means voting over the Internet.  You cast your vote from your home computer or smartphone.

Electronic voting means voting on a voting machine (a voting computer) at a polling place.

Electronic vote counting means vote tabulators of various sorts, most commonly optical mark-sense readers that count votes by scanning marked paper ballots.

Recommendations for Consultation

0. Discontinue discussion of electronic voting

However, if discussion of electronic voting is going to continue:
  1. The mandate for the Electoral Reform committee should be amended, adding after the words "online voting" the following: ", and electronic voting.
    But it is probably too late to do that.
  2. There should be clear definitions of electronic voting and online voting in the Host a Canadian federal electoral reform dialogue in your community materials and those definitions should also be provided to the committee.
  3. The focus of the electoral reform dialogue should be placed on online voting to respect the original committee mandate.
  4. The Library of Parliament Background Paper 2016-06 on Electoral Systems should have a section on electronic voting added.
  5. The Electoral Reform committee online survey should have questions about electronic voting added, and the consequences of currently-completed surveys only having questions about online voting will have to be considered.
  6. In future, more care must be taken with terminology used and alignment between committee activities and consultation materials.

Recommendations for Individuals

If you're concerned about Canada using electronic voting machines or online voting in national elections, please participate in the consultation (deadline October 7, 2016) and make your opinion heard.


The terms of reference for the Special Committee on Electoral Reform very clearly say only online voting.  There is no mention of electronic voting.

Here's Vote 79

and Vote 80

That's the mandate discussed in Parliament.

The town hall material and discussion has proceeded to talk about electronic voting. Without an adequate backgrounder. Without even a definition. So we may get reporting back about some jumbled up mix of voting machines and online voting, while the committee itself has only discussed online voting.

And electronic voting is a VERY DIFFERENT DISCUSSION than just online voting, with very different considerations.

I will now have to write a separate briefing about electronic voting machine risks.

Anyway, here's some of the town hall materials in order to demonstrate that electronic voting is being discussed.

Potential Canadian federal electoral reform event dialogue topics and questions

So it is clear that the terminology electronic voting and online voting are not being used interchangeably, they are mentioned separately; this is not just confusing one term for the other.

Electronic voting and online voting both link to this text below about "introducing new technologies at the polls", which again has no Parliamentary mandate that I can see, other than a chain of assumptions about how using voting machines could lead to using online voting.  There is no definition of either electronic voting or online voting provided.

Changing Canada’s federal electoral system

In addition, the only thing that is even close to a briefing, the Library of Parliament Background Paper 2016-06-E on Electoral Systems, which is already weak on online voting, has no section about electronic voting at all (presumably because it's not in the committee mandate).

And the committee survey also doesn't ask any questions about electronic voting.

Some of the dialogue guidance even focuses on electronic voting alone, without mentioning online voting.

Sample Canadian federal electoral reform event agenda and facilitator guide

And there are at the time of this writing five variations of the Canadian Democracy tweet below, asking about electronic voting; I assume at least one tweet per town hall meeting.

"Electronic and Online voting?  Good idea? Bad idea? #EngagedinER" - @CdnDemocracy - 10:56 PM - 9 Sep 2016
So to sum up:

Labels: , , , , ,

Briefing note on online voting in Canada

Make It Short

The Canadian government has already been cyberattacked by nation-states, computer security experts warn that online voting is not secure, national security experts warn that online voting is not secure, and online voting won't increase turnout.

Here's the evidence:
As further quick background I recommend:

I Want To Know More

Labels: , , , , ,

<- Older Posts - Newer Posts ->

This page is powered by Blogger. Isn't yours?