Thursday, October 06, 2016
Brief submitted to Special Committee on Electoral Reform - October 2016
UPDATE 2016-10-26: My brief is now available on the committee website, in English and translated into French « Évaluation du vote électronique et en ligne dans le cadre des élections nationales au Canada » .
ENDUPDATE
You can find the PDF at
https://drive.google.com/open?id=0B1dTIjUvkfsDMTZtMkFjNmVuY1k
Where you can download by clicking on the down arrow in the upper right of the screen.
Or you can see the embedded version below.
Labels: #ERRE, internet voting, online voting
Sunday, October 02, 2016
ERRE Presentation - Internet Voting: Making Elections Hackable - Dr. Barbara Simons
Audio is available from ParlVu. Panel 3 with Dr. Simons starts at 21:31:25.
Her presentation begins at 21:33:25 and ends at 21:39:32. The panel ends at 22:54:50.
I tried to use the built-in download-and-clip tool to get a segment of the audio but it didn't work for me.
UPDATE 2016-10-18:
Presentation
Transcript of Dr. Simons' presentaton (from OpenParliament.ca)
Thank you for the opportunity to speak with you today about a critical issue: the fundamental insecurity of all currently available Internet voting systems. If this were a medical hearing to determine whether to approve a new drug for human consumption, safety would be paramount. A drug that is likely to result in serious injury to patients would be rejected, no matter how many people wanted to use it. Internet voting is like a drug we are considering for the country.If there is even a small chance that Internet voting might result in our elections being hacked, it doesn't matter how many people want it. If Internet voting puts our elections at risk—and it does—we must reject it until such time as it can be proven secure.
I have brought copies of the “Computer Technologists' Statement on Internet Voting”, which unfortunately hasn't been translated, so I guess I can't distribute them, but they will be made available later and I could address the recommendations made in that statement during the question period. It was signed by prominent computer science researchers from major universities throughout the United States. I think it's a fair statement to say that computer security experts are basically in total agreement that we should not have Internet voting at this time, anywhere.
The title of my talk is, “Internet Voting: Making Elections Hackable”. As you know, there are five principles for this hearing, one of which is integrity. Australia did an assessment of Internet voting and there's a quote from the Honourable Tony Smith, who was chair of the joint standing committee on electoral matters in Australia, which says, “it is clear to me...that Australia is not in a position to introduce any large-scale system of electronic voting in the near future without catastrophically compromising our electoral integrity.”
Those of you who have copies of my slides see that the next slide has a list of a large number of sites that have been hacked, starting with Yahoo, where half a billion users' accounts were hacked into, and that includes a lot of Canadians. It also includes, in Canada, the Department of Finance, the Treasury Board Secretariat, Defence Research and Development Canada, the National Research Council, The Ottawa Hospital, and the University of Calgary. In the United States it includes the Democratic National Committee, as I'm sure you've heard, the Office of Personnel Management, the Pentagon emails, the FBI, the White House, the U.S. State Department, Google, AOL, Symantec, and so on and so forth.
A question that I hope this committee will ask itself is, what will happen if we take up Internet voting in this country, and months after a government is seated it is discovered that the election has been hacked? This is not an unrealistic scenario. The Yahoo breach started in 2014 and it was just uncovered. The Democratic National Committee breach occurred months before it was discovered. It typically takes months to discover a breach after it has occurred. You can replace money that's stolen from online bank accounts—and by the way, millions and millions of dollars are stolen annually from online bank accounts—but you cannot replace votes.
Toronto did a security analysis of three systems that were submitted there for consideration. The conclusion of the security analysis was that no proposal provides adequate protection against the risks inherent in Internet voting. Their recommendation was that the city not proceed with Internet voting in upcoming municipal elections.
Quebec has had a moratorium on electronic voting since 2005.
British Columbia had a panel that investigated Internet voting. Their conclusion was, first of all, non-voters usually don't vote over the Internet. It's used primarily as a tool for voters who have already decided to vote, mostly middle-age voters. It's least popular among young people, and that reflects traditional voter turnout. Their recommendation is to not implement Internet voting for either local or provincial government elections at this time.
Estonia is often brought up as an example of a country that has successfully conducted Internet voting. Most people don't know that in 2014, an independent group of international experts performed a security evaluation of the Estonian system. They found that it's vulnerable to state-level attackers who could compromise the secret ballot, disrupt elections, or cast doubt on the fairness of the results, and it is vulnerable to a range of attacks, including vote-stealing malware on the voter's machine, and they recommended that Internet voting be halted. Unfortunately, in Estonia, it has not been.
Basically, Washington, D.C., was considering Internet voting for real elections in the 2010 mid-term. They opened it up two weeks beforehand to allow anyone from anywhere to try to hack into the system. This is the only time this has been done. Two weeks before, it was taken over within 36 hours by a team from the University of Michigan. They could change already cast and future ballots, and they could reveal the voters' secret ballots. They installed the University of Michigan fight song as their calling card, so it would start playing 15 seconds after voting in this sample election, which was quite interesting for those of us who didn't know they had broken in. They also discovered probes coming from China and Iran, and they protected the system from these probes.
I don't think that China and Iran were actually trying to break into a pilot system. It wasn't a real election; it was a toy election. But these probes are always on the Internet, and they are always trying to break in. As I said, no other vendor has allowed such a test because, I believe, they know that their systems would be vulnerable. In fact, the only kind of real-life test you can do is to let anyone from anywhere try to break in, because that's what reality is.
Thank you.
Q&A
Q - Gérard Deltell: Madam Simons, if we change the way we elect our people, we are open to discussion, but at the end of the day, the people shall decide by a referendum. It's not up to parties and politicians because we are in a conflict of interest with regard to the decision.
What do you think about that?A - Barbara Simons: I think that a referendum may be fine for certain issues, but when it's a heavily technological issue like Internet voting, you really need to listen to the experts. In fact, when I first heard about Internet voting, I thought it was a great idea. I really wanted to do it, and most of my colleagues—almost all of us are geeks, I should say. Notice that I'm here with this. I mean, I live on a computer. I spend all day long on the computer. I love my computer. But I don't want to vote on my computer, not in a major election.
Look at what's happening in the United States right now, where the Democratic Party is terrified that the election is going to be rigged by Russia. Now, I'm not saying that's going to happen, but the very fact that people are even contemplating that idea is very disturbing.
I was in Estonia a few years ago, at the invitation of the Estonian Centre Party, which is the second-largest party in Estonia, and remember, as I said in my talk, people hold up Estonia as the model of Internet voting in a country.
They invited me there because they are convinced that their elections are being rigged. They are the second-largest party, and if you look at who votes over the Internet, members of their party do not.... At least they don't get votes over the Internet very much. Most of their votes come from paper ballots, because Estonia has both paper ballots and Internet voting. They wanted me to go there and tell them that the election was rigged. I couldn't do that, because there's no way to know.
That's one of the terrifying things of Internet voting. You could have malware, election-rigging malware, on the voter's machine which could change the vote before it goes out over the Internet. What you see on your screen is not necessarily what goes out, because there are different components in a computer. It could change what goes out and the voter would never know.
That means that when you get the electronic ballots at the other end, these bits, you cannot know if they accurately represent the will of the voters, and therefore, you cannot do a recount. I could not therefore tell members of the Estonian Centre Party that the election was rigged, nor could I tell them that it was not rigged.
I think that is a very unhealthy situation for a democracy.
Q - Gabriel Ste-Marie: I am going to start by addressing you, Ms. Simons.
Thank you for coming and warning us against electronic voting. The points you raised are disturbing. As you said, in the American election campaign, Russian computer scientists got hold of emails belonging to the woman who is a candidate for the office of president of the United States. In Canada, it would be unthinkable to realize, a year or two after an election, that the entire thing had been tampered with by foreign interests and that this had even put, who knows, the Bloc Québécois in power. That would be hard to believe, but in any event, we have to be careful.
What is good about our system is that we have a little piece of paper and a little pencil, we mark an X and we put the paper in the box, so it can be counted and examined.
I have a concern about electronic voting. The fact that the person voting would not be alone in a booth concerns me. We could have vote-buying, negative influence, fear, and so on. In your eyes, do these factors also amount to obstacles to electronic voting?
A - Barbara Simons: I think when you talk about the person not being alone with Internet voting, that's an issue for any kind of remote voting. It's the same for voting by mail. With Internet voting, you have to worry about voter coercion and vote buying and selling. That's of concern to me. I think remote voting should be held to a minimum. There are people who have to do it because they are not well, or they are away and they have to vote remotely, but generally speaking, it shouldn't be, as it is in many parts of the United States, made available to everybody. My experience in Canada is that it isn't made available to everybody. It's not that easy, and I think that's a good thing.
You talked about the paper ballots. I was a poll worker in a provincial election here, and I thought the way the election was run was wonderful. I've also worked on an election in the United States, and believe me, it's done much better in Canada. It really is.
One of the things that's nice about the way it's done in Canada is that when the election was over, we all tabulated the ballots. There were all these rules. They had to come out right. There was a lot of double-checking and triple-checking, and nobody could leave until it all worked. There was one table that hadn't quite...they were off by one, and the rest of us were hungry, but we couldn't leave until they finally worked it out. I thought it was wonderful.
Another thing I hope you will keep in mind when you think about moving to another form of voting is whether you can retain this spirit, this counting locally, and this being able to check locally and have observers from all the parties who can look at what's going on. If you move to a complicated form of voting, then you're going to have to use computers, and you won't be able to see what's going on inside the computers. You'll be dependent on the software, which could have software bugs or it could have malware.
Q - John Aldag: Dr. Simons, I want to start the questioning with you.
I found the information you provided fascinating. As Mr. Cullen had noted when we started, it seemed that online voting could be a solution to a lot of our problems, including accessibility. You've just taken that and thrown it in the trash can for me. It causes me some concern. Is there any hope for any application down the road?
One of the things we've been asked to look at is increasing accessibility and voter participation. I know from my own experience during my first election in October, I did have people who were unable to make it to the polling booth, and Elections Canada did some great work to make their votes accessible. I thought there could be some great opportunities for those who are homebound dealing with disabilities.
Then we had a witness from the Canadian National Institute for the Blind who spoke with us more recently. Her testimony really touched me. She talked about never having been able to have a secret ballot. One of the many messages I got from her is that many persons with disabilities, particularly visual disabilities, have technology that they work with at home that uses oral prompts and other things to help them. I thought maybe we need to go with a limited-reach online voting. We heard that from our Chief Electoral Officer, to maybe go small and do some test populations.
Until you spoke, I was hoping that we could convince Elections Canada to start with a population such as those with sight disabilities and pilot something, but with what you're saying, the risks are so high.
Would you advise us and direct us away from even going that far, because of the vulnerabilities?
A - Barbara Simons: There are safer alternatives.
In the United States there's been a lot of concern about voters in the military overseas, because it takes a long time, and about people with disabilities. What's done there, and I think this could be done in Canada, is that you can make the blank ballot available online. In the U.S. for military voters, by law it's made available at least 45 days in advance of the election. They download the ballot, print it out, fill it out, and mail it in.
Now, with voters with disabilities, you could download the ballot onto the computer, and they could use their tools to vote. One thing you need to be careful about is that when that happens, you don't want their computer communicating with the main server, because that's basically Internet voting again, and you have lots of issues, such as the secret ballot. But they can download it onto their computer, disconnect from the Internet, and then fill it out locally so that they can take advantage of the tools they have. A blind voter can fill it out, print it out, and then mail it in by postal mail. Again, they can use the tools, and if it's done enough in advance, they don't have to worry about the time for the postal mail.
Q - John Aldag: It's a wonderful suggestion, very practical.
What else have you encountered in this area of research that you can get to us while we have access to your expertise, before the chair cuts me off? Are there any other gems you can give us that will help us reach out to some of these populations that have been disenfranchised from our voting system?
A - Barbara Simons: know there's been concern among first nations. I've heard some testimony in another event where a first nation person was strongly advocating for Internet voting.
Again, I think it does a disservice to voters with disabilities, to first nations, to anybody, to provide them with a tool that is fundamentally insecure. We owe it to them when we provide them with alternatives to make sure those alternatives are secure.
That would be my recommendation.
Comment - Scott Reid: I don't have any questions for you, Dr. Simons, and that's because you've resolved matters in my mind. I'm now firmly committed to not moving to electronic voting. In fact, I'm completely paranoid. That was very convincing.
Q - Sherry Romanado: Dr. Simons, like my colleagues, I have to say that if we weren't already unsure about Internet voting, your testimony this evening scared some of us. I'll add to this, so please forgive my little sidebar.
In addition to sitting on the committee for electoral reform, I also sit on the Standing Committee on National Defence. We've just completed part of a study on the defence of North America, specifically on aerial readiness. We spent some time at NORAD during this study, where we heard about the emerging threats, conventional and asymmetrical attacks, and specifically, cyber-threats and cyber-attacks here in Canada.
You brought up a point that I hadn't thought of. We heard that there was an increase in the potential for cyber-attacks in Canada, and in fact Canada is now looking at a consultation to upgrade our national cybersecurity policy. You mentioned the actual machines to do the count, and I thought that was interesting, because I had only heard about the e-voting or online voting. You mentioned that whatever system we decide to put into place, if there are requirements for algorithms or calculations coming out of whatever we choose, those are also susceptible to cyber-attack.
For instance, it's simple to count the ballots—and I think most of us have volunteered at elections where you get to count the ballots—but if we actually have a system where we have to run these ballots or votes through a machine for it to then do the calculations, whether it be a proportional system or whatever system we choose, those too are susceptible to attack.
Could you elaborate a bit on that? I hadn't thought of that portion.
A - Barbara Simons: By the way, before I do that, here's one other thing to help make you more paranoid with regard to Internet voting. Think about ransomware and how that could be applied to Internet voting.
Getting back to your question, in terms of being subject to cyber-attack, that would depend on whether or not it has access to the Internet. I'm not saying that introducing computers into the election process necessarily would make them vulnerable to cyber-attack. What I'm saying is that when you bring in the computers, you are dependent on the computers. You're dependent on the algorithm for counting the votes.
In the case of some of these systems, that can be complicated. You have to be careful that the algorithm is correct, that the code was written correctly, and that no bad person has gotten their hands on those machines and changed the software to rig the election in some way. You can't really open up the machine and look at it the way you can pieces of paper. You just have to be more careful. There are risks whenever you introduce computers into the system.
It's kind of funny, because the people who are raising the alarm, by and large, are the computer scientists, and when I first started this, we were being told by people who really didn't know anything about computers that we were Luddites to talk about these issues.
I'm just counselling you that if we move to a very complicated system that can't be tabulated manually, it means that computers will have to come in. That means that in some sense we're going to be outsourcing the election to the vendors. Even if it's homegrown software, you still are dependent on the people who write the software and on the algorithms being correct. You introduce an element of risk, and you also don't have the transparency that our elections currently have, and I think that transparency is really a wonderful thing.
There are other forms of voting that aren't first-past-the-post systems where you can manually count, so I'm not taking a position on first-past-the-post systems or not.
Q - Sherry Romanado: I wasn't asking what voting system.... I'm looking at what the possible ramifications are of using that.
Given that, you did mention our military who are serving overseas. I have two sons currently serving in the Canadian Armed Forces, so it's something that's important to me. Is there a possibility of leveraging technology, knowing the risks, to reach folks who want to be able to vote?
You mentioned the downloading of the form and filling it out and so on and so forth, but is there a possibility of leveraging technology to increase the efficiencies in how we handle our elections? Is there still something that can be done in terms of improving it?
A - Barbara Simons: In terms of downloading, the example I gave of the United States for the military overseas—the mail is expedited and is paid for by the government—is a way of doing it without looking at more technological fixes. The government could expedite the return of the voter ballots for free. That would certainly help.
I'm reluctant to suggest having a small number of voters vote over the Internet, just because we have seen certainly in the United States and here too that sometimes a small number of voters can change an outcome. I'd hate to see even a small number of ballots being vulnerable. It's better than a large number, but—
Intervention from the Chair Francis Scarpaleggia (question session out of time): Thank you, Dr. Simons.
Q - Pat Kelly: I'll ask Dr. Simons to comment on this. Although much of the panel has been in concurrence over the non-desirability of Internet voting, nevertheless it struck me that, if online voting was merely an enabling tool to address people with mobility problems or those who are in remote areas—although we've heard from other witnesses about the challenges there—then does that take the target off an election? If we are talking about a relatively small number of votes that may be identified in some cases with geographically remote places, then does that take the target off? Is it safer if it is not the default, or is there absolutely no acceptable use or application for online voting?
A - Barbara Simons: I think there are acceptable uses for online voting for elections that don't matter much. For example, for prom queen, I don't care. I think it depends on how important you think the election is and how much of a risk you want to take. Obviously, fewer people voting over the Internet means the risk will be smaller. If the election doesn't matter, then who cares if it is risky or not?
Q - Pat Kelly: In your opinion, there's no acceptable way to do it, if you place value on the outcome of an election, which we most certainly do at this committee.
A - Barbara Simons: How much risk do you want to take?
Labels: #ERRE, electronic voting, internet voting, links to audio, links to presentations, online voting