Sunday, October 23, 2016
Reveal podcast examines electronic and online voting issues
Program page with links to iTunes and more information: https://www.revealnews.org/episodes/how-to-really-steal-an-election/
The beginning is a lot about US elections that may not be particularly relevant for a Canadian audience.
Below are some timecodes you can use to jump to various portions of the program:
- 12:07 - electronic voting machines (electronic voting computers) - link
- 18:34 - online voting - link
- 22:57 - Dr. Barbara Simons, computer security expert - link
- 38:24 - issues with postal voting on a Navajo reservation - link
In the SoundCloud interface above, you need to click your mouse within the soundbar panel to select the start time you want, e.g.
Labels: electronic voting, internet voting, links to audio, online voting, postal voting
Sunday, October 02, 2016
ERRE Presentation - Internet Voting: Making Elections Hackable - Dr. Barbara Simons
Presentation by Dr. Barbara Simons to Canadian ERRE Special Committee on Electoral Reform, meeting 32, panel 3, in Vancouver on September 28, 2016. Provided by permission of Dr. Simons.
Audio is available from ParlVu. Panel 3 with Dr. Simons starts at 21:31:25.
Her presentation begins at 21:33:25 and ends at 21:39:32. The panel ends at 22:54:50.
I tried to use the built-in download-and-clip tool to get a segment of the audio but it didn't work for me.
If there is even a small chance that Internet voting might result in our elections being hacked, it doesn't matter how many people want it. If Internet voting puts our elections at risk—and it does—we must reject it until such time as it can be proven secure.
I have brought copies of the “Computer Technologists' Statement on Internet Voting”, which unfortunately hasn't been translated, so I guess I can't distribute them, but they will be made available later and I could address the recommendations made in that statement during the question period. It was signed by prominent computer science researchers from major universities throughout the United States. I think it's a fair statement to say that computer security experts are basically in total agreement that we should not have Internet voting at this time, anywhere.
The title of my talk is, “Internet Voting: Making Elections Hackable”. As you know, there are five principles for this hearing, one of which is integrity. Australia did an assessment of Internet voting and there's a quote from the Honourable Tony Smith, who was chair of the joint standing committee on electoral matters in Australia, which says, “it is clear to me...that Australia is not in a position to introduce any large-scale system of electronic voting in the near future without catastrophically compromising our electoral integrity.”
Those of you who have copies of my slides see that the next slide has a list of a large number of sites that have been hacked, starting with Yahoo, where half a billion users' accounts were hacked into, and that includes a lot of Canadians. It also includes, in Canada, the Department of Finance, the Treasury Board Secretariat, Defence Research and Development Canada, the National Research Council, The Ottawa Hospital, and the University of Calgary. In the United States it includes the Democratic National Committee, as I'm sure you've heard, the Office of Personnel Management, the Pentagon emails, the FBI, the White House, the U.S. State Department, Google, AOL, Symantec, and so on and so forth.
A question that I hope this committee will ask itself is, what will happen if we take up Internet voting in this country, and months after a government is seated it is discovered that the election has been hacked? This is not an unrealistic scenario. The Yahoo breach started in 2014 and it was just uncovered. The Democratic National Committee breach occurred months before it was discovered. It typically takes months to discover a breach after it has occurred. You can replace money that's stolen from online bank accounts—and by the way, millions and millions of dollars are stolen annually from online bank accounts—but you cannot replace votes.
Toronto did a security analysis of three systems that were submitted there for consideration. The conclusion of the security analysis was that no proposal provides adequate protection against the risks inherent in Internet voting. Their recommendation was that the city not proceed with Internet voting in upcoming municipal elections.
Quebec has had a moratorium on electronic voting since 2005.
British Columbia had a panel that investigated Internet voting. Their conclusion was, first of all, non-voters usually don't vote over the Internet. It's used primarily as a tool for voters who have already decided to vote, mostly middle-age voters. It's least popular among young people, and that reflects traditional voter turnout. Their recommendation is to not implement Internet voting for either local or provincial government elections at this time.
Estonia is often brought up as an example of a country that has successfully conducted Internet voting. Most people don't know that in 2014, an independent group of international experts performed a security evaluation of the Estonian system. They found that it's vulnerable to state-level attackers who could compromise the secret ballot, disrupt elections, or cast doubt on the fairness of the results, and it is vulnerable to a range of attacks, including vote-stealing malware on the voter's machine, and they recommended that Internet voting be halted. Unfortunately, in Estonia, it has not been.
Basically, Washington, D.C., was considering Internet voting for real elections in the 2010 mid-term. They opened it up two weeks beforehand to allow anyone from anywhere to try to hack into the system. This is the only time this has been done. Two weeks before, it was taken over within 36 hours by a team from the University of Michigan. They could change already cast and future ballots, and they could reveal the voters' secret ballots. They installed the University of Michigan fight song as their calling card, so it would start playing 15 seconds after voting in this sample election, which was quite interesting for those of us who didn't know they had broken in. They also discovered probes coming from China and Iran, and they protected the system from these probes.
I don't think that China and Iran were actually trying to break into a pilot system. It wasn't a real election; it was a toy election. But these probes are always on the Internet, and they are always trying to break in. As I said, no other vendor has allowed such a test because, I believe, they know that their systems would be vulnerable. In fact, the only kind of real-life test you can do is to let anyone from anywhere try to break in, because that's what reality is.
A - Barbara Simons: I think that a referendum may be fine for certain issues, but when it's a heavily technological issue like Internet voting, you really need to listen to the experts. In fact, when I first heard about Internet voting, I thought it was a great idea. I really wanted to do it, and most of my colleagues—almost all of us are geeks, I should say. Notice that I'm here with this. I mean, I live on a computer. I spend all day long on the computer. I love my computer. But I don't want to vote on my computer, not in a major election.
Look at what's happening in the United States right now, where the Democratic Party is terrified that the election is going to be rigged by Russia. Now, I'm not saying that's going to happen, but the very fact that people are even contemplating that idea is very disturbing.
I was in Estonia a few years ago, at the invitation of the Estonian Centre Party, which is the second-largest party in Estonia, and remember, as I said in my talk, people hold up Estonia as the model of Internet voting in a country.
They invited me there because they are convinced that their elections are being rigged. They are the second-largest party, and if you look at who votes over the Internet, members of their party do not.... At least they don't get votes over the Internet very much. Most of their votes come from paper ballots, because Estonia has both paper ballots and Internet voting. They wanted me to go there and tell them that the election was rigged. I couldn't do that, because there's no way to know.
That's one of the terrifying things of Internet voting. You could have malware, election-rigging malware, on the voter's machine which could change the vote before it goes out over the Internet. What you see on your screen is not necessarily what goes out, because there are different components in a computer. It could change what goes out and the voter would never know.
That means that when you get the electronic ballots at the other end, these bits, you cannot know if they accurately represent the will of the voters, and therefore, you cannot do a recount. I could not therefore tell members of the Estonian Centre Party that the election was rigged, nor could I tell them that it was not rigged.
I think that is a very unhealthy situation for a democracy.
Q - Gabriel Ste-Marie: I am going to start by addressing you, Ms. Simons.
Thank you for coming and warning us against electronic voting. The points you raised are disturbing. As you said, in the American election campaign, Russian computer scientists got hold of emails belonging to the woman who is a candidate for the office of president of the United States. In Canada, it would be unthinkable to realize, a year or two after an election, that the entire thing had been tampered with by foreign interests and that this had even put, who knows, the Bloc Québécois in power. That would be hard to believe, but in any event, we have to be careful.
What is good about our system is that we have a little piece of paper and a little pencil, we mark an X and we put the paper in the box, so it can be counted and examined.
I have a concern about electronic voting. The fact that the person voting would not be alone in a booth concerns me. We could have vote-buying, negative influence, fear, and so on. In your eyes, do these factors also amount to obstacles to electronic voting?
A - Barbara Simons: I think when you talk about the person not being alone with Internet voting, that's an issue for any kind of remote voting. It's the same for voting by mail. With Internet voting, you have to worry about voter coercion and vote buying and selling. That's of concern to me. I think remote voting should be held to a minimum. There are people who have to do it because they are not well, or they are away and they have to vote remotely, but generally speaking, it shouldn't be, as it is in many parts of the United States, made available to everybody. My experience in Canada is that it isn't made available to everybody. It's not that easy, and I think that's a good thing.
You talked about the paper ballots. I was a poll worker in a provincial election here, and I thought the way the election was run was wonderful. I've also worked on an election in the United States, and believe me, it's done much better in Canada. It really is.
One of the things that's nice about the way it's done in Canada is that when the election was over, we all tabulated the ballots. There were all these rules. They had to come out right. There was a lot of double-checking and triple-checking, and nobody could leave until it all worked. There was one table that hadn't quite...they were off by one, and the rest of us were hungry, but we couldn't leave until they finally worked it out. I thought it was wonderful.
Another thing I hope you will keep in mind when you think about moving to another form of voting is whether you can retain this spirit, this counting locally, and this being able to check locally and have observers from all the parties who can look at what's going on. If you move to a complicated form of voting, then you're going to have to use computers, and you won't be able to see what's going on inside the computers. You'll be dependent on the software, which could have software bugs or it could have malware.
Q - John Aldag: Dr. Simons, I want to start the questioning with you.
I found the information you provided fascinating. As Mr. Cullen had noted when we started, it seemed that online voting could be a solution to a lot of our problems, including accessibility. You've just taken that and thrown it in the trash can for me. It causes me some concern. Is there any hope for any application down the road?
One of the things we've been asked to look at is increasing accessibility and voter participation. I know from my own experience during my first election in October, I did have people who were unable to make it to the polling booth, and Elections Canada did some great work to make their votes accessible. I thought there could be some great opportunities for those who are homebound dealing with disabilities.
Then we had a witness from the Canadian National Institute for the Blind who spoke with us more recently. Her testimony really touched me. She talked about never having been able to have a secret ballot. One of the many messages I got from her is that many persons with disabilities, particularly visual disabilities, have technology that they work with at home that uses oral prompts and other things to help them. I thought maybe we need to go with a limited-reach online voting. We heard that from our Chief Electoral Officer, to maybe go small and do some test populations.
Until you spoke, I was hoping that we could convince Elections Canada to start with a population such as those with sight disabilities and pilot something, but with what you're saying, the risks are so high.
Would you advise us and direct us away from even going that far, because of the vulnerabilities?
A - Barbara Simons: There are safer alternatives.
In the United States there's been a lot of concern about voters in the military overseas, because it takes a long time, and about people with disabilities. What's done there, and I think this could be done in Canada, is that you can make the blank ballot available online. In the U.S. for military voters, by law it's made available at least 45 days in advance of the election. They download the ballot, print it out, fill it out, and mail it in.
Now, with voters with disabilities, you could download the ballot onto the computer, and they could use their tools to vote. One thing you need to be careful about is that when that happens, you don't want their computer communicating with the main server, because that's basically Internet voting again, and you have lots of issues, such as the secret ballot. But they can download it onto their computer, disconnect from the Internet, and then fill it out locally so that they can take advantage of the tools they have. A blind voter can fill it out, print it out, and then mail it in by postal mail. Again, they can use the tools, and if it's done enough in advance, they don't have to worry about the time for the postal mail.
Q - John Aldag: It's a wonderful suggestion, very practical.
What else have you encountered in this area of research that you can get to us while we have access to your expertise, before the chair cuts me off? Are there any other gems you can give us that will help us reach out to some of these populations that have been disenfranchised from our voting system?
A - Barbara Simons: know there's been concern among first nations. I've heard some testimony in another event where a first nation person was strongly advocating for Internet voting.
Again, I think it does a disservice to voters with disabilities, to first nations, to anybody, to provide them with a tool that is fundamentally insecure. We owe it to them when we provide them with alternatives to make sure those alternatives are secure.
That would be my recommendation.
Comment - Scott Reid: I don't have any questions for you, Dr. Simons, and that's because you've resolved matters in my mind. I'm now firmly committed to not moving to electronic voting. In fact, I'm completely paranoid. That was very convincing.
Q - Sherry Romanado: Dr. Simons, like my colleagues, I have to say that if we weren't already unsure about Internet voting, your testimony this evening scared some of us. I'll add to this, so please forgive my little sidebar.
In addition to sitting on the committee for electoral reform, I also sit on the Standing Committee on National Defence. We've just completed part of a study on the defence of North America, specifically on aerial readiness. We spent some time at NORAD during this study, where we heard about the emerging threats, conventional and asymmetrical attacks, and specifically, cyber-threats and cyber-attacks here in Canada.
You brought up a point that I hadn't thought of. We heard that there was an increase in the potential for cyber-attacks in Canada, and in fact Canada is now looking at a consultation to upgrade our national cybersecurity policy. You mentioned the actual machines to do the count, and I thought that was interesting, because I had only heard about the e-voting or online voting. You mentioned that whatever system we decide to put into place, if there are requirements for algorithms or calculations coming out of whatever we choose, those are also susceptible to cyber-attack.
For instance, it's simple to count the ballots—and I think most of us have volunteered at elections where you get to count the ballots—but if we actually have a system where we have to run these ballots or votes through a machine for it to then do the calculations, whether it be a proportional system or whatever system we choose, those too are susceptible to attack.
Could you elaborate a bit on that? I hadn't thought of that portion.
A - Barbara Simons: By the way, before I do that, here's one other thing to help make you more paranoid with regard to Internet voting. Think about ransomware and how that could be applied to Internet voting.
Getting back to your question, in terms of being subject to cyber-attack, that would depend on whether or not it has access to the Internet. I'm not saying that introducing computers into the election process necessarily would make them vulnerable to cyber-attack. What I'm saying is that when you bring in the computers, you are dependent on the computers. You're dependent on the algorithm for counting the votes.
In the case of some of these systems, that can be complicated. You have to be careful that the algorithm is correct, that the code was written correctly, and that no bad person has gotten their hands on those machines and changed the software to rig the election in some way. You can't really open up the machine and look at it the way you can pieces of paper. You just have to be more careful. There are risks whenever you introduce computers into the system.
It's kind of funny, because the people who are raising the alarm, by and large, are the computer scientists, and when I first started this, we were being told by people who really didn't know anything about computers that we were Luddites to talk about these issues.
I'm just counselling you that if we move to a very complicated system that can't be tabulated manually, it means that computers will have to come in. That means that in some sense we're going to be outsourcing the election to the vendors. Even if it's homegrown software, you still are dependent on the people who write the software and on the algorithms being correct. You introduce an element of risk, and you also don't have the transparency that our elections currently have, and I think that transparency is really a wonderful thing.
There are other forms of voting that aren't first-past-the-post systems where you can manually count, so I'm not taking a position on first-past-the-post systems or not.
Q - Sherry Romanado: I wasn't asking what voting system.... I'm looking at what the possible ramifications are of using that.
Given that, you did mention our military who are serving overseas. I have two sons currently serving in the Canadian Armed Forces, so it's something that's important to me. Is there a possibility of leveraging technology, knowing the risks, to reach folks who want to be able to vote?
You mentioned the downloading of the form and filling it out and so on and so forth, but is there a possibility of leveraging technology to increase the efficiencies in how we handle our elections? Is there still something that can be done in terms of improving it?
A - Barbara Simons: In terms of downloading, the example I gave of the United States for the military overseas—the mail is expedited and is paid for by the government—is a way of doing it without looking at more technological fixes. The government could expedite the return of the voter ballots for free. That would certainly help.
I'm reluctant to suggest having a small number of voters vote over the Internet, just because we have seen certainly in the United States and here too that sometimes a small number of voters can change an outcome. I'd hate to see even a small number of ballots being vulnerable. It's better than a large number, but—
Intervention from the Chair Francis Scarpaleggia (question session out of time): Thank you, Dr. Simons.
Q - Pat Kelly: I'll ask Dr. Simons to comment on this. Although much of the panel has been in concurrence over the non-desirability of Internet voting, nevertheless it struck me that, if online voting was merely an enabling tool to address people with mobility problems or those who are in remote areas—although we've heard from other witnesses about the challenges there—then does that take the target off an election? If we are talking about a relatively small number of votes that may be identified in some cases with geographically remote places, then does that take the target off? Is it safer if it is not the default, or is there absolutely no acceptable use or application for online voting?
A - Barbara Simons: I think there are acceptable uses for online voting for elections that don't matter much. For example, for prom queen, I don't care. I think it depends on how important you think the election is and how much of a risk you want to take. Obviously, fewer people voting over the Internet means the risk will be smaller. If the election doesn't matter, then who cares if it is risky or not?
Q - Pat Kelly: In your opinion, there's no acceptable way to do it, if you place value on the outcome of an election, which we most certainly do at this committee.
A - Barbara Simons: How much risk do you want to take?
Audio is available from ParlVu. Panel 3 with Dr. Simons starts at 21:31:25.
Her presentation begins at 21:33:25 and ends at 21:39:32. The panel ends at 22:54:50.
I tried to use the built-in download-and-clip tool to get a segment of the audio but it didn't work for me.
UPDATE 2016-10-18:
Presentation
Transcript of Dr. Simons' presentaton (from OpenParliament.ca)
Thank you for the opportunity to speak with you today about a critical issue: the fundamental insecurity of all currently available Internet voting systems. If this were a medical hearing to determine whether to approve a new drug for human consumption, safety would be paramount. A drug that is likely to result in serious injury to patients would be rejected, no matter how many people wanted to use it. Internet voting is like a drug we are considering for the country.If there is even a small chance that Internet voting might result in our elections being hacked, it doesn't matter how many people want it. If Internet voting puts our elections at risk—and it does—we must reject it until such time as it can be proven secure.
I have brought copies of the “Computer Technologists' Statement on Internet Voting”, which unfortunately hasn't been translated, so I guess I can't distribute them, but they will be made available later and I could address the recommendations made in that statement during the question period. It was signed by prominent computer science researchers from major universities throughout the United States. I think it's a fair statement to say that computer security experts are basically in total agreement that we should not have Internet voting at this time, anywhere.
The title of my talk is, “Internet Voting: Making Elections Hackable”. As you know, there are five principles for this hearing, one of which is integrity. Australia did an assessment of Internet voting and there's a quote from the Honourable Tony Smith, who was chair of the joint standing committee on electoral matters in Australia, which says, “it is clear to me...that Australia is not in a position to introduce any large-scale system of electronic voting in the near future without catastrophically compromising our electoral integrity.”
Those of you who have copies of my slides see that the next slide has a list of a large number of sites that have been hacked, starting with Yahoo, where half a billion users' accounts were hacked into, and that includes a lot of Canadians. It also includes, in Canada, the Department of Finance, the Treasury Board Secretariat, Defence Research and Development Canada, the National Research Council, The Ottawa Hospital, and the University of Calgary. In the United States it includes the Democratic National Committee, as I'm sure you've heard, the Office of Personnel Management, the Pentagon emails, the FBI, the White House, the U.S. State Department, Google, AOL, Symantec, and so on and so forth.
A question that I hope this committee will ask itself is, what will happen if we take up Internet voting in this country, and months after a government is seated it is discovered that the election has been hacked? This is not an unrealistic scenario. The Yahoo breach started in 2014 and it was just uncovered. The Democratic National Committee breach occurred months before it was discovered. It typically takes months to discover a breach after it has occurred. You can replace money that's stolen from online bank accounts—and by the way, millions and millions of dollars are stolen annually from online bank accounts—but you cannot replace votes.
Toronto did a security analysis of three systems that were submitted there for consideration. The conclusion of the security analysis was that no proposal provides adequate protection against the risks inherent in Internet voting. Their recommendation was that the city not proceed with Internet voting in upcoming municipal elections.
Quebec has had a moratorium on electronic voting since 2005.
British Columbia had a panel that investigated Internet voting. Their conclusion was, first of all, non-voters usually don't vote over the Internet. It's used primarily as a tool for voters who have already decided to vote, mostly middle-age voters. It's least popular among young people, and that reflects traditional voter turnout. Their recommendation is to not implement Internet voting for either local or provincial government elections at this time.
Estonia is often brought up as an example of a country that has successfully conducted Internet voting. Most people don't know that in 2014, an independent group of international experts performed a security evaluation of the Estonian system. They found that it's vulnerable to state-level attackers who could compromise the secret ballot, disrupt elections, or cast doubt on the fairness of the results, and it is vulnerable to a range of attacks, including vote-stealing malware on the voter's machine, and they recommended that Internet voting be halted. Unfortunately, in Estonia, it has not been.
Basically, Washington, D.C., was considering Internet voting for real elections in the 2010 mid-term. They opened it up two weeks beforehand to allow anyone from anywhere to try to hack into the system. This is the only time this has been done. Two weeks before, it was taken over within 36 hours by a team from the University of Michigan. They could change already cast and future ballots, and they could reveal the voters' secret ballots. They installed the University of Michigan fight song as their calling card, so it would start playing 15 seconds after voting in this sample election, which was quite interesting for those of us who didn't know they had broken in. They also discovered probes coming from China and Iran, and they protected the system from these probes.
I don't think that China and Iran were actually trying to break into a pilot system. It wasn't a real election; it was a toy election. But these probes are always on the Internet, and they are always trying to break in. As I said, no other vendor has allowed such a test because, I believe, they know that their systems would be vulnerable. In fact, the only kind of real-life test you can do is to let anyone from anywhere try to break in, because that's what reality is.
Thank you.
Q&A
Q - Gérard Deltell: Madam Simons, if we change the way we elect our people, we are open to discussion, but at the end of the day, the people shall decide by a referendum. It's not up to parties and politicians because we are in a conflict of interest with regard to the decision.
What do you think about that?A - Barbara Simons: I think that a referendum may be fine for certain issues, but when it's a heavily technological issue like Internet voting, you really need to listen to the experts. In fact, when I first heard about Internet voting, I thought it was a great idea. I really wanted to do it, and most of my colleagues—almost all of us are geeks, I should say. Notice that I'm here with this. I mean, I live on a computer. I spend all day long on the computer. I love my computer. But I don't want to vote on my computer, not in a major election.
Look at what's happening in the United States right now, where the Democratic Party is terrified that the election is going to be rigged by Russia. Now, I'm not saying that's going to happen, but the very fact that people are even contemplating that idea is very disturbing.
I was in Estonia a few years ago, at the invitation of the Estonian Centre Party, which is the second-largest party in Estonia, and remember, as I said in my talk, people hold up Estonia as the model of Internet voting in a country.
They invited me there because they are convinced that their elections are being rigged. They are the second-largest party, and if you look at who votes over the Internet, members of their party do not.... At least they don't get votes over the Internet very much. Most of their votes come from paper ballots, because Estonia has both paper ballots and Internet voting. They wanted me to go there and tell them that the election was rigged. I couldn't do that, because there's no way to know.
That's one of the terrifying things of Internet voting. You could have malware, election-rigging malware, on the voter's machine which could change the vote before it goes out over the Internet. What you see on your screen is not necessarily what goes out, because there are different components in a computer. It could change what goes out and the voter would never know.
That means that when you get the electronic ballots at the other end, these bits, you cannot know if they accurately represent the will of the voters, and therefore, you cannot do a recount. I could not therefore tell members of the Estonian Centre Party that the election was rigged, nor could I tell them that it was not rigged.
I think that is a very unhealthy situation for a democracy.
Q - Gabriel Ste-Marie: I am going to start by addressing you, Ms. Simons.
Thank you for coming and warning us against electronic voting. The points you raised are disturbing. As you said, in the American election campaign, Russian computer scientists got hold of emails belonging to the woman who is a candidate for the office of president of the United States. In Canada, it would be unthinkable to realize, a year or two after an election, that the entire thing had been tampered with by foreign interests and that this had even put, who knows, the Bloc Québécois in power. That would be hard to believe, but in any event, we have to be careful.
What is good about our system is that we have a little piece of paper and a little pencil, we mark an X and we put the paper in the box, so it can be counted and examined.
I have a concern about electronic voting. The fact that the person voting would not be alone in a booth concerns me. We could have vote-buying, negative influence, fear, and so on. In your eyes, do these factors also amount to obstacles to electronic voting?
A - Barbara Simons: I think when you talk about the person not being alone with Internet voting, that's an issue for any kind of remote voting. It's the same for voting by mail. With Internet voting, you have to worry about voter coercion and vote buying and selling. That's of concern to me. I think remote voting should be held to a minimum. There are people who have to do it because they are not well, or they are away and they have to vote remotely, but generally speaking, it shouldn't be, as it is in many parts of the United States, made available to everybody. My experience in Canada is that it isn't made available to everybody. It's not that easy, and I think that's a good thing.
You talked about the paper ballots. I was a poll worker in a provincial election here, and I thought the way the election was run was wonderful. I've also worked on an election in the United States, and believe me, it's done much better in Canada. It really is.
One of the things that's nice about the way it's done in Canada is that when the election was over, we all tabulated the ballots. There were all these rules. They had to come out right. There was a lot of double-checking and triple-checking, and nobody could leave until it all worked. There was one table that hadn't quite...they were off by one, and the rest of us were hungry, but we couldn't leave until they finally worked it out. I thought it was wonderful.
Another thing I hope you will keep in mind when you think about moving to another form of voting is whether you can retain this spirit, this counting locally, and this being able to check locally and have observers from all the parties who can look at what's going on. If you move to a complicated form of voting, then you're going to have to use computers, and you won't be able to see what's going on inside the computers. You'll be dependent on the software, which could have software bugs or it could have malware.
Q - John Aldag: Dr. Simons, I want to start the questioning with you.
I found the information you provided fascinating. As Mr. Cullen had noted when we started, it seemed that online voting could be a solution to a lot of our problems, including accessibility. You've just taken that and thrown it in the trash can for me. It causes me some concern. Is there any hope for any application down the road?
One of the things we've been asked to look at is increasing accessibility and voter participation. I know from my own experience during my first election in October, I did have people who were unable to make it to the polling booth, and Elections Canada did some great work to make their votes accessible. I thought there could be some great opportunities for those who are homebound dealing with disabilities.
Then we had a witness from the Canadian National Institute for the Blind who spoke with us more recently. Her testimony really touched me. She talked about never having been able to have a secret ballot. One of the many messages I got from her is that many persons with disabilities, particularly visual disabilities, have technology that they work with at home that uses oral prompts and other things to help them. I thought maybe we need to go with a limited-reach online voting. We heard that from our Chief Electoral Officer, to maybe go small and do some test populations.
Until you spoke, I was hoping that we could convince Elections Canada to start with a population such as those with sight disabilities and pilot something, but with what you're saying, the risks are so high.
Would you advise us and direct us away from even going that far, because of the vulnerabilities?
A - Barbara Simons: There are safer alternatives.
In the United States there's been a lot of concern about voters in the military overseas, because it takes a long time, and about people with disabilities. What's done there, and I think this could be done in Canada, is that you can make the blank ballot available online. In the U.S. for military voters, by law it's made available at least 45 days in advance of the election. They download the ballot, print it out, fill it out, and mail it in.
Now, with voters with disabilities, you could download the ballot onto the computer, and they could use their tools to vote. One thing you need to be careful about is that when that happens, you don't want their computer communicating with the main server, because that's basically Internet voting again, and you have lots of issues, such as the secret ballot. But they can download it onto their computer, disconnect from the Internet, and then fill it out locally so that they can take advantage of the tools they have. A blind voter can fill it out, print it out, and then mail it in by postal mail. Again, they can use the tools, and if it's done enough in advance, they don't have to worry about the time for the postal mail.
Q - John Aldag: It's a wonderful suggestion, very practical.
What else have you encountered in this area of research that you can get to us while we have access to your expertise, before the chair cuts me off? Are there any other gems you can give us that will help us reach out to some of these populations that have been disenfranchised from our voting system?
A - Barbara Simons: know there's been concern among first nations. I've heard some testimony in another event where a first nation person was strongly advocating for Internet voting.
Again, I think it does a disservice to voters with disabilities, to first nations, to anybody, to provide them with a tool that is fundamentally insecure. We owe it to them when we provide them with alternatives to make sure those alternatives are secure.
That would be my recommendation.
Comment - Scott Reid: I don't have any questions for you, Dr. Simons, and that's because you've resolved matters in my mind. I'm now firmly committed to not moving to electronic voting. In fact, I'm completely paranoid. That was very convincing.
Q - Sherry Romanado: Dr. Simons, like my colleagues, I have to say that if we weren't already unsure about Internet voting, your testimony this evening scared some of us. I'll add to this, so please forgive my little sidebar.
In addition to sitting on the committee for electoral reform, I also sit on the Standing Committee on National Defence. We've just completed part of a study on the defence of North America, specifically on aerial readiness. We spent some time at NORAD during this study, where we heard about the emerging threats, conventional and asymmetrical attacks, and specifically, cyber-threats and cyber-attacks here in Canada.
You brought up a point that I hadn't thought of. We heard that there was an increase in the potential for cyber-attacks in Canada, and in fact Canada is now looking at a consultation to upgrade our national cybersecurity policy. You mentioned the actual machines to do the count, and I thought that was interesting, because I had only heard about the e-voting or online voting. You mentioned that whatever system we decide to put into place, if there are requirements for algorithms or calculations coming out of whatever we choose, those are also susceptible to cyber-attack.
For instance, it's simple to count the ballots—and I think most of us have volunteered at elections where you get to count the ballots—but if we actually have a system where we have to run these ballots or votes through a machine for it to then do the calculations, whether it be a proportional system or whatever system we choose, those too are susceptible to attack.
Could you elaborate a bit on that? I hadn't thought of that portion.
A - Barbara Simons: By the way, before I do that, here's one other thing to help make you more paranoid with regard to Internet voting. Think about ransomware and how that could be applied to Internet voting.
Getting back to your question, in terms of being subject to cyber-attack, that would depend on whether or not it has access to the Internet. I'm not saying that introducing computers into the election process necessarily would make them vulnerable to cyber-attack. What I'm saying is that when you bring in the computers, you are dependent on the computers. You're dependent on the algorithm for counting the votes.
In the case of some of these systems, that can be complicated. You have to be careful that the algorithm is correct, that the code was written correctly, and that no bad person has gotten their hands on those machines and changed the software to rig the election in some way. You can't really open up the machine and look at it the way you can pieces of paper. You just have to be more careful. There are risks whenever you introduce computers into the system.
It's kind of funny, because the people who are raising the alarm, by and large, are the computer scientists, and when I first started this, we were being told by people who really didn't know anything about computers that we were Luddites to talk about these issues.
I'm just counselling you that if we move to a very complicated system that can't be tabulated manually, it means that computers will have to come in. That means that in some sense we're going to be outsourcing the election to the vendors. Even if it's homegrown software, you still are dependent on the people who write the software and on the algorithms being correct. You introduce an element of risk, and you also don't have the transparency that our elections currently have, and I think that transparency is really a wonderful thing.
There are other forms of voting that aren't first-past-the-post systems where you can manually count, so I'm not taking a position on first-past-the-post systems or not.
Q - Sherry Romanado: I wasn't asking what voting system.... I'm looking at what the possible ramifications are of using that.
Given that, you did mention our military who are serving overseas. I have two sons currently serving in the Canadian Armed Forces, so it's something that's important to me. Is there a possibility of leveraging technology, knowing the risks, to reach folks who want to be able to vote?
You mentioned the downloading of the form and filling it out and so on and so forth, but is there a possibility of leveraging technology to increase the efficiencies in how we handle our elections? Is there still something that can be done in terms of improving it?
A - Barbara Simons: In terms of downloading, the example I gave of the United States for the military overseas—the mail is expedited and is paid for by the government—is a way of doing it without looking at more technological fixes. The government could expedite the return of the voter ballots for free. That would certainly help.
I'm reluctant to suggest having a small number of voters vote over the Internet, just because we have seen certainly in the United States and here too that sometimes a small number of voters can change an outcome. I'd hate to see even a small number of ballots being vulnerable. It's better than a large number, but—
Intervention from the Chair Francis Scarpaleggia (question session out of time): Thank you, Dr. Simons.
Q - Pat Kelly: I'll ask Dr. Simons to comment on this. Although much of the panel has been in concurrence over the non-desirability of Internet voting, nevertheless it struck me that, if online voting was merely an enabling tool to address people with mobility problems or those who are in remote areas—although we've heard from other witnesses about the challenges there—then does that take the target off an election? If we are talking about a relatively small number of votes that may be identified in some cases with geographically remote places, then does that take the target off? Is it safer if it is not the default, or is there absolutely no acceptable use or application for online voting?
A - Barbara Simons: I think there are acceptable uses for online voting for elections that don't matter much. For example, for prom queen, I don't care. I think it depends on how important you think the election is and how much of a risk you want to take. Obviously, fewer people voting over the Internet means the risk will be smaller. If the election doesn't matter, then who cares if it is risky or not?
Q - Pat Kelly: In your opinion, there's no acceptable way to do it, if you place value on the outcome of an election, which we most certainly do at this committee.
A - Barbara Simons: How much risk do you want to take?
Labels: #ERRE, electronic voting, internet voting, links to audio, links to presentations, online voting
Sunday, September 18, 2016
Electoral Reform in Canada and information about Electronic Voting and Online Voting
First I want to make it clear that I understand the public servants preparing these materials are working on a tight deadline, with a lot of information to prepare in a short period of time. I sympathise with the challenges they face.
I believe in evidence-based decisionmaking. Here is the fundamental problem about the current consultations (parallel Ministerial and Committee consultations) about electoral reform: they are both asking about electronic voting and online voting with no evidence provided whatsoever. No learning materials on electronic and online voting, no backgrounder, not even any definitions.
We don't even have the very basics to agree on what it is that we're discussing, let alone to have an informed discussion.
Here's the process one is supposed to follow:
1. Go to Canada.ca/Democracy
2. Click on Learn
3. Click on "Electronic Voting and Online Voting"
Except you can't. Because there is no section on electronic voting and online voting. Here are the sections:
You can click all you want on any of the eleven sections provided, and out of all eleven, you will find literally a single sentence (maybe) relating to electronic voting, in Changing Canada's federal electoral system - How you vote.
Where is the evidence for the statement that introducing new technologies could pave the way for online voting? Does "introducing new technologies at the polls" mean electronic voting machines? What does it mean? Where is the mandate for this approach to gradually transition to online voting via electronic voting? Where is the discussion and debate about this approach? Well there is no evidence, no definition, no mandate and no discussion. It just appeared out of nowhere.
Maybe we can look at the Glossary of Canadian electoral reform terms? Well no.
It has no definition for electronic voting
and no definition for online voting
The only other information available would involve reading the Electoral systems factsheet and for some reason clicking the Library of Parliament backgrounder, and then, having landed on a bunch of text, for some reason scrolling down page after page until you reach section 6.2 Online Voting. Which, even if by some extraordinary degree of interest you manage to reach it, is a wildly inadequate background on online voting anyway. There is no amount of clicking and scrolling that will get you to a backgrounder on electronic voting, for there is none.
I believe in evidence-based decisionmaking. Here is the fundamental problem about the current consultations (parallel Ministerial and Committee consultations) about electoral reform: they are both asking about electronic voting and online voting with no evidence provided whatsoever. No learning materials on electronic and online voting, no backgrounder, not even any definitions.
We don't even have the very basics to agree on what it is that we're discussing, let alone to have an informed discussion.
Here's the process one is supposed to follow:
1. Go to Canada.ca/Democracy
2. Click on Learn
3. Click on "Electronic Voting and Online Voting"
Except you can't. Because there is no section on electronic voting and online voting. Here are the sections:
You can click all you want on any of the eleven sections provided, and out of all eleven, you will find literally a single sentence (maybe) relating to electronic voting, in Changing Canada's federal electoral system - How you vote.
Where is the evidence for the statement that introducing new technologies could pave the way for online voting? Does "introducing new technologies at the polls" mean electronic voting machines? What does it mean? Where is the mandate for this approach to gradually transition to online voting via electronic voting? Where is the discussion and debate about this approach? Well there is no evidence, no definition, no mandate and no discussion. It just appeared out of nowhere.
Maybe we can look at the Glossary of Canadian electoral reform terms? Well no.
It has no definition for electronic voting
and no definition for online voting
The only other information available would involve reading the Electoral systems factsheet and for some reason clicking the Library of Parliament backgrounder, and then, having landed on a bunch of text, for some reason scrolling down page after page until you reach section 6.2 Online Voting. Which, even if by some extraordinary degree of interest you manage to reach it, is a wildly inadequate background on online voting anyway. There is no amount of clicking and scrolling that will get you to a backgrounder on electronic voting, for there is none.
It's worth noting in addition that the committee doesn't actually have electronic voting in its mandate, although that doesn't seem to make any difference in the fact that we're proceeding to discuss electronic voting anyway.
To Sum Up
- Canada is having a national conversation about online voting, with only a very limited backgrounder that is very hard to find. Specifically, with no learning materials on the learning page.
- Canada is having a national conversation about electronic voting, which means - well it's not clear what it means, since it isn't defined anywhere - maybe it means electronic voting machines. The committee has no Parliamentary mandate for discussing electronic voting, and there is no backgrounder or even a definition. And there are no learning materials on the learning page.
As evidence-based decisionmaking goes, this is not a model process.
What You Can Do
If you're concerned about Canada using electronic voting machines or online voting in national elections, please participate in the consultation (deadline October 7, 2016) and make your opinion heard.
What I Did
To address the lack if information, I have written a briefing note on online voting.
I will write a briefing note on electronic voting as well, but in the meantime, you can watch Zachary Quinto explain how US electronic voting machines can be hacked, and then watch Tom Scott talk about why electronic voting is a bad idea.Labels: #CdnDemocracy, #EngagedInER, #ERRE, electronic voting, internet voting, online voting
Sunday, September 11, 2016
Electoral reform consultations discussing electronic voting in addition to online voting
I'm going to assume that this is just an unfortunate misunderstanding about terminology and mandate.
Online voting means voting over the Internet. You cast your vote from your home computer or smartphone.
Electronic voting means voting on a voting machine (a voting computer) at a polling place.
Electronic vote counting means vote tabulators of various sorts, most commonly optical mark-sense readers that count votes by scanning marked paper ballots.
and Vote 80
That's the mandate discussed in Parliament.
The town hall material and discussion has proceeded to talk about electronic voting. Without an adequate backgrounder. Without even a definition. So we may get reporting back about some jumbled up mix of voting machines and online voting, while the committee itself has only discussed online voting.
And electronic voting is a VERY DIFFERENT DISCUSSION than just online voting, with very different considerations.
I will now have to write a separate briefing about electronic voting machine risks.
Anyway, here's some of the town hall materials in order to demonstrate that electronic voting is being discussed.
Potential Canadian federal electoral reform event dialogue topics and questions
So it is clear that the terminology electronic voting and online voting are not being used interchangeably, they are mentioned separately; this is not just confusing one term for the other.
Electronic voting and online voting both link to this text below about "introducing new technologies at the polls", which again has no Parliamentary mandate that I can see, other than a chain of assumptions about how using voting machines could lead to using online voting. There is no definition of either electronic voting or online voting provided.
Changing Canada’s federal electoral system
In addition, the only thing that is even close to a briefing, the Library of Parliament Background Paper 2016-06-E on Electoral Systems, which is already weak on online voting, has no section about electronic voting at all (presumably because it's not in the committee mandate).
And the committee survey also doesn't ask any questions about electronic voting.
Some of the dialogue guidance even focuses on electronic voting alone, without mentioning online voting.
Sample Canadian federal electoral reform event agenda and facilitator guide
And there are at the time of this writing five variations of the Canadian Democracy tweet below, asking about electronic voting; I assume at least one tweet per town hall meeting.
"Electronic and Online voting? Good idea? Bad idea? #EngagedinER" - @CdnDemocracy - 10:56 PM - 9 Sep 2016
Online voting means voting over the Internet. You cast your vote from your home computer or smartphone.
Electronic voting means voting on a voting machine (a voting computer) at a polling place.
Electronic vote counting means vote tabulators of various sorts, most commonly optical mark-sense readers that count votes by scanning marked paper ballots.
Recommendations for Consultation
0. Discontinue discussion of electronic voting
However, if discussion of electronic voting is going to continue:- The mandate for the Electoral Reform committee should be amended, adding after the words "online voting" the following: ", and electronic voting.
But it is probably too late to do that. - There should be clear definitions of electronic voting and online voting in the Host a Canadian federal electoral reform dialogue in your community materials and those definitions should also be provided to the committee.
- The focus of the electoral reform dialogue should be placed on online voting to respect the original committee mandate.
- The Library of Parliament Background Paper 2016-06 on Electoral Systems should have a section on electronic voting added.
- The Electoral Reform committee online survey should have questions about electronic voting added, and the consequences of currently-completed surveys only having questions about online voting will have to be considered.
- In future, more care must be taken with terminology used and alignment between committee activities and consultation materials.
Recommendations for Individuals
If you're concerned about Canada using electronic voting machines or online voting in national elections, please participate in the consultation (deadline October 7, 2016) and make your opinion heard.
Background
The terms of reference for the Special Committee on Electoral Reform very clearly say only online voting. There is no mention of electronic voting.
Here's Vote 79
and Vote 80
That's the mandate discussed in Parliament.
The town hall material and discussion has proceeded to talk about electronic voting. Without an adequate backgrounder. Without even a definition. So we may get reporting back about some jumbled up mix of voting machines and online voting, while the committee itself has only discussed online voting.
And electronic voting is a VERY DIFFERENT DISCUSSION than just online voting, with very different considerations.
I will now have to write a separate briefing about electronic voting machine risks.
Anyway, here's some of the town hall materials in order to demonstrate that electronic voting is being discussed.
Potential Canadian federal electoral reform event dialogue topics and questions
So it is clear that the terminology electronic voting and online voting are not being used interchangeably, they are mentioned separately; this is not just confusing one term for the other.
Electronic voting and online voting both link to this text below about "introducing new technologies at the polls", which again has no Parliamentary mandate that I can see, other than a chain of assumptions about how using voting machines could lead to using online voting. There is no definition of either electronic voting or online voting provided.
Changing Canada’s federal electoral system
In addition, the only thing that is even close to a briefing, the Library of Parliament Background Paper 2016-06-E on Electoral Systems, which is already weak on online voting, has no section about electronic voting at all (presumably because it's not in the committee mandate).
And the committee survey also doesn't ask any questions about electronic voting.
Some of the dialogue guidance even focuses on electronic voting alone, without mentioning online voting.
Sample Canadian federal electoral reform event agenda and facilitator guide
And there are at the time of this writing five variations of the Canadian Democracy tweet below, asking about electronic voting; I assume at least one tweet per town hall meeting.
"Electronic and Online voting? Good idea? Bad idea? #EngagedinER" - @CdnDemocracy - 10:56 PM - 9 Sep 2016
So to sum up:Electronic and Online voting? Good idea? Bad idea? #EngagedinER— Canadian Democracy (@CdnDemocracy) September 10, 2016
- The town halls / MP meetings / Minister meetings / citizen-led meetings are discussing "electronic voting" despite this not being in the Parliamentary mandate for the Special Committee on Electoral Reform.
- Nowhere that I can find is "electronic voting" defined. Apparently it means voting machines, but this is not actually written down anywhere.
Labels: #CdnDemocracy, #EngagedInER, #ERRE, canada, e-voting, electronic voting
Saturday, August 06, 2016
Australia concludes electronic voting would catastrophically compromise election integrity
In my understanding, Australia does a review of election processes and possible improvements after every election.
Canada should be so lucky as to have a process as comprehensive as Australia's last review in 2013, where "The Joint Standing Committee on Electoral Matters held 20 hearings and reviewed more than 200 submissions, before deciding Australia should stick to its largely paper based system."[1]
The foreward of this Joint Standing Committee on Electoral Matters (JSCEM) report is worth quoting extensively, as it is clear and compelling. Any emphasis (bolding) below is mine.
[1] ABC - Curious Campaign: Why have voters not had access to electronic voting? - 26 May 2016
Canada should be so lucky as to have a process as comprehensive as Australia's last review in 2013, where "The Joint Standing Committee on Electoral Matters held 20 hearings and reviewed more than 200 submissions, before deciding Australia should stick to its largely paper based system."[1]
The foreward of this Joint Standing Committee on Electoral Matters (JSCEM) report is worth quoting extensively, as it is clear and compelling. Any emphasis (bolding) below is mine.
advocates argue that [electronic voting computers and Internet voting] offer faster and potentially more accurate results. With the close of polls the results are known within minutes rather than hours, days and weeks and arguably without the human error that occurs in the long paper ballot count.Many think it sounds like a good idea for the next federal election.No matter your view, this is not feasible.Even the most ardent electronic voting advocates must recognise that in logistical terms it would be impossible for our electoral authorities to roll it out next polling day which is less than two years away – at the latest.But what about future elections?I once simply assumed so, but that was before I had really given it a lot of thought.After hearing from a range of experts, and surveying the international electoral landscapes it is clear to me that Australia is not in a position to introduce any large-scale system of electronic voting in the near future without catastrophically compromising our electoral integrity.Machine electronic voting at a polling place is vulnerable to hacking to some degree. This can be mitigated by a system that not only records your vote electronically, but also produces a printed ballot for physical counting and later verification. In other words, a lot of expense to still visit the polling booth, queue up and complete your vote on a machine rather than a paper ballot.For this reason, internet voting seems to be naturally the most attractive to many voters. As an election expert from the USA recently said to me: ‘when it comes to voting, folks would rather be online than in line.’But the weight of evidence tells us that at present [Internet voting] is highly vulnerable to hacking. While internet voting occurs in Estonia, it does not mean that system cannot be hacked.
With all the internet security architecture available, the academic experts swear they can, and have proved they can, hack such systems....
Given we complete so many transactions online, I am often asked why voting should be any different. My answer to that is that voting once every three years to determine our democratic destiny is not an everyday transaction.Not only do we have the right to a ballot; we have rightly enshrined within our system the right to a secret vote. Voting at a booth in a polling place guarantees this; voting over the internet threatens this.Internet voting would expose some voters to family and peer pressure by removing the individual isolation of voting at a secluded booth and replacing it with voting in a home, a workplace or a public place. It also potentially opens up a market for votes where disengaged or financially desperate voters could be offered money to vote a certain way, which could be verified in a way not possible at a polling place....
Over the course of the twenty hearings to date and in reviewing the 207 submissions received, the Committee has worked collaboratively and in an impartial manner to ensure that the best outcomes have been met.Technology is moving at a rapid pace. The Committee believes that we should be utilising it to ensure that the systems underpinning how we vote are sound and that persons with disabilities have easy access to the vote. In doing so, we will harness [technology] which enhances our electoral integrity, not that which endangers it.
Hon Tony Smith
MP Chair
I extend my thanks once again to the Honourable Tony Smith for such a clear and compelling summary of the evidence.MP Chair
[1] ABC - Curious Campaign: Why have voters not had access to electronic voting? - 26 May 2016
Labels: australia, electronic voting, internet voting, online voting, report
Wednesday, July 06, 2016
Australia - Parliament of Victoria - Inquiry into Electronic Voting
Another inquiry into electronic voting (which in Australia seems to include Internet voting), this time in the state of Victoria.
Twitter: @VicParliament and @VicGovAu
It is a bit frustrating to see these endless inquiries. The Parliament of Australia (which is different from the Parliament of Victoria) held an extensive consultation in 2013. To quote a valid part of an otherwise misguided article in The Australian, the Parliament of Australia inquiry "held 20 hearings and reviewed more than 200 submissions before deciding Australia should stick to its largely paper-based system".
Please stop asking the same question about Internet voting hoping to get a different answer.
The Australian Parliament inquiry is excellent, incidentally.
Parliament of Australia - Inquiry into and report on all aspects of the conduct of the 2013 Federal Election and matters related thereto -
above from http://www.parliament.vic.gov.au/emc/inquiry/419Submissions
The Committee is currently calling for submissions - please see the Submissions and eSubmissions pages for more information.Public Hearings
The Committee intends to conduct public hearings at 55 St Andrews Place, East Melbourne on Monday 22 August and Wednesday 24 August, 2016. See the Hearings and Transcripts page for more details as they become available.Mailing list
If you are interested in receiving updates on the progress of the Inquiry, email news@parliament.vic.gov.au, and request Electronic Voting inquiry updates. To receive all news alerts from the Parliament of Victoria, including news alerts for all parliamentary committee inquiries, email news@parliament.vic.gov.au and ask for ‘all news alerts’.
Twitter: @VicParliament and @VicGovAu
It is a bit frustrating to see these endless inquiries. The Parliament of Australia (which is different from the Parliament of Victoria) held an extensive consultation in 2013. To quote a valid part of an otherwise misguided article in The Australian, the Parliament of Australia inquiry "held 20 hearings and reviewed more than 200 submissions before deciding Australia should stick to its largely paper-based system".
Please stop asking the same question about Internet voting hoping to get a different answer.
The Australian Parliament inquiry is excellent, incidentally.
Parliament of Australia - Inquiry into and report on all aspects of the conduct of the 2013 Federal Election and matters related thereto -
Second interim report on the inquiry into the conduct of the 2013 federal election: An assessment of electronic voting options
Labels: australia, consultation, electronic voting, internet voting, online voting, Parliament of Victoria, Victoria
The Australian - Election cliffhanger prompts e-Voting rethink - comment
Here is the comment I posted on The Australian article Election cliffhanger prompts e-Voting rethink by Supratim Adhikari on July 5, 2016. The comment has not (yet?) been accepted.
COMMENT
While the counting of paper ballots is slow, all of the complexity is visible to everyone. With an Internet voting system, you would be greatly increasing the complexity and all of the associated possibilities for very complex systems to fail, but hiding all of that increased complexity from voters. This simply distances the voting system even further from citizens. To quote the 2013 Parliamentary inquiry: “It is important that in embracing technology, the secret ballot is not undermined, voter behaviour is not negatively impacted, and confidence in the electoral process and electoral outcomes is not damaged. At a time of debate about community disengagement with political processes, it would be greatly concerning if the method of voting—the one act of participatory democracy that all Australian citizens will definitely engage in—was to further disengage the community from these processes.” [1]
That is not to mention the risk of the election being hacked, including by other nation states. This is a reality already - China was blamed for a massive hack on a Bureau of Meterology computer [2] resulting in the government spending an additional $230 million on cybersecurity [3] .
This leads to the last point, about claimed cost savings. The current paper-based system can be used again and again, year after year, with at most minor modifications. That is not at all the case for any kind of universal electronic voting system. Technology and cyberattacks are constantly changing, which means that any electronic voting system is obsolete the day that it launches. Such a system would have to be continuously and expensively updated for every election, to reflect technology changes and to defend against new types of attacks. That kind of continuous expenditure on information technology is great for the Information Industry, but terrible for government budgets.
[1] http://www.aph.gov.au/Parliamentary_Business/Committees/Joint/Electoral_Matters/2013_General_Election/Second_Interim_Report/Chapter_4#comment section 4.80
[2] http://www.abc.net.au/news/2015-12-02/china-blamed-for-cyber-attack-on-bureau-of-meteorology/6993278
[3] http://phys.org/news/2016-04-australia-hack-boosts-cyber.html
ENDCOMMENT
With the slow paper-based count, there has been a flood of articles about Australian e-voting. Unfortunately I'm not able to respond to them all, but the above comment applies generally.
COMMENT
While the counting of paper ballots is slow, all of the complexity is visible to everyone. With an Internet voting system, you would be greatly increasing the complexity and all of the associated possibilities for very complex systems to fail, but hiding all of that increased complexity from voters. This simply distances the voting system even further from citizens. To quote the 2013 Parliamentary inquiry: “It is important that in embracing technology, the secret ballot is not undermined, voter behaviour is not negatively impacted, and confidence in the electoral process and electoral outcomes is not damaged. At a time of debate about community disengagement with political processes, it would be greatly concerning if the method of voting—the one act of participatory democracy that all Australian citizens will definitely engage in—was to further disengage the community from these processes.” [1]
That is not to mention the risk of the election being hacked, including by other nation states. This is a reality already - China was blamed for a massive hack on a Bureau of Meterology computer [2] resulting in the government spending an additional $230 million on cybersecurity [3] .
This leads to the last point, about claimed cost savings. The current paper-based system can be used again and again, year after year, with at most minor modifications. That is not at all the case for any kind of universal electronic voting system. Technology and cyberattacks are constantly changing, which means that any electronic voting system is obsolete the day that it launches. Such a system would have to be continuously and expensively updated for every election, to reflect technology changes and to defend against new types of attacks. That kind of continuous expenditure on information technology is great for the Information Industry, but terrible for government budgets.
[1] http://www.aph.gov.au/Parliamentary_Business/Committees/Joint/Electoral_Matters/2013_General_Election/Second_Interim_Report/Chapter_4#comment section 4.80
[2] http://www.abc.net.au/news/2015-12-02/china-blamed-for-cyber-attack-on-bureau-of-meteorology/6993278
[3] http://phys.org/news/2016-04-australia-hack-boosts-cyber.html
ENDCOMMENT
With the slow paper-based count, there has been a flood of articles about Australian e-voting. Unfortunately I'm not able to respond to them all, but the above comment applies generally.
Labels: australia, comment, electronic voting, internet voting, newspaper comment, online voting
Monday, July 04, 2016
Australia and online voting
I have to provide a response to this article because it puts forth remarkably weak arguments.
This style continues in this muddle of a paragraph
And then we get to the latest bit of technology magic, Blockchain
The reality of a vote using the Blockchain is you're posting a traceable vote to a public ledger, which is to say, you're undermining anonymity and enabling coercion.
But Blockchain is in any case the kind of sleight of hand distraction a magician would perform, to distract you from other key activities. In system security, you must ensure that every component of the system is secure, not just one component. Even if Blockchain were somehow a magic crypto solution for storing and checking the vote (which it isn't) you still have to cast the vote. From an actual computer in the real world, not a theoretical computer. And actual computers in the real world, whether they be desktops or mobile devices, are hacked and compromised all the time. In fact the exact same author who just wrote the above quote about Blockchain-based voting's benefits wrote in the article just previous to the voting one that even antivirus security companies can't get security right.
I don't know how one can reconcile understanding not increasing attack surface in one article with advocating vastly increasing attack surface in the following one; I'm going to assume it is associated with frustration with what is admittedly a very complex and slow paper-based election process in Australia.
If you want to read some actual thoughtful analysis of online voting in Australia, in addition to Dr. Teague's article and extensive submissions on the topic, I also recommend that there be an extensive examination of the risks and benefits associated with electronic voting in Australia. Oh wait, there already was, by the Australian Parliament in 2013, and they concluded that the benefits don't outweigh the risks. It's an excellent, comprehensive, clear report. And it only puts things in quotes when it is actually quoting people and statements.
Parliament of Australia - Inquiry into and report on all aspects of the conduct of the 2013 Federal Election and matters related thereto -
there are the “experts” who claim that we shouldn’t implement electronic votingOk, here's the thing: when people are actual experts, you don't put "experts" in quotes. Dr. Vanessa Teague, one of the experts referred to, has written extensively about the topic, including peer-reviewed papers about voting systems and computer security. One can see that from her University of Melbourne faculty page and her Google Scholar profile. To dismiss someone whom Google Scholar reports as having been cited 1064 times by other academics as an "expert" is at best completely misleading.
This style continues in this muddle of a paragraph
All of these things “might” be true but they don’t “necessarily” have to be true and don’t in the end serve as justification for not implementing electronic voting.I really don't know what to say. The statements made by experts are evidence that can be challenged by doing tests. That's science. Putting things in quotes to disparage them is not.
And then we get to the latest bit of technology magic, Blockchain
Blockchain-based voting has the benefit that voting can be done online anonymouslyReally. Anonymously. The Blockchain public ledger, in which every transaction has a user ID attached, enables anonymous voting? How does it do that exactly? How does one ensure that only eligible voters vote, and that the vote that they cast (presumably by posting the vote to the Blockchain) is both verifiable and anonymous, when the user ID must be traceable?
The reality of a vote using the Blockchain is you're posting a traceable vote to a public ledger, which is to say, you're undermining anonymity and enabling coercion.
But Blockchain is in any case the kind of sleight of hand distraction a magician would perform, to distract you from other key activities. In system security, you must ensure that every component of the system is secure, not just one component. Even if Blockchain were somehow a magic crypto solution for storing and checking the vote (which it isn't) you still have to cast the vote. From an actual computer in the real world, not a theoretical computer. And actual computers in the real world, whether they be desktops or mobile devices, are hacked and compromised all the time. In fact the exact same author who just wrote the above quote about Blockchain-based voting's benefits wrote in the article just previous to the voting one that even antivirus security companies can't get security right.
Antivirus software is very complicated. It has to understand the nature of a very large number of different types of files and the different ways in which these files can be altered to escape detection. In order to efficiently process files that may be being written to a disk or arriving via a web link or email, antivirus software usually runs on the computer with extra privileges. This makes the consequence of attacks on this type of software particularly serious. The counter-intuitive result of this is that antivirus software gives malware writers even greater opportunities for attack on a computer than if the software hadn’t been installed in the first place. In security jargon, it actually increases the “attack surface”.That is exactly correct. But if you think antivirus software is very complicated, Internet voting software is vastly more complicated than that. You've got the entire attack surface of the client computer used to cast the votes, and the entire attack surface of the network used to transmit the votes, and the entire attack surface of the servers used to store and count the votes (including Blockchain, which doesn't run on some abstract cloud, but on actual servers or desktops that can be compromised in many ways, including simply capturing enough mining computers to outvote any other writes to the chain).
Recording votes on the blockchain could be combined with two-factor authentication such as that employed by a system used in Utah recently. This system allowed online voting for the Republican Party’s presidential nominee during the recent US primaries.Like the system used in Utah? The one The Guardian reports was "plagued by glitches" where "as many as 13,000 people had tried to sign up but could not because of a variety of technical problems" and "The state party disregarded warnings from prominent computer scientists and from the National Institute for Standards and Technology, which oversees federal certification of voting equipment, that online voting systems are dangerously vulnerable to malware, putting both the integrity and the secrecy of the vote at risk." That system is the one you want to hold up as a model?
I don't know how one can reconcile understanding not increasing attack surface in one article with advocating vastly increasing attack surface in the following one; I'm going to assume it is associated with frustration with what is admittedly a very complex and slow paper-based election process in Australia.
If you want to read some actual thoughtful analysis of online voting in Australia, in addition to Dr. Teague's article and extensive submissions on the topic, I also recommend that there be an extensive examination of the risks and benefits associated with electronic voting in Australia. Oh wait, there already was, by the Australian Parliament in 2013, and they concluded that the benefits don't outweigh the risks. It's an excellent, comprehensive, clear report. And it only puts things in quotes when it is actually quoting people and statements.
Parliament of Australia - Inquiry into and report on all aspects of the conduct of the 2013 Federal Election and matters related thereto -
Second interim report on the inquiry into the conduct of the 2013 federal election: An assessment of electronic voting options
Labels: australia, e-voting, electronic voting, internet voting, online voting
Monday, June 06, 2016
Internet voting video of the week - David Jefferson
Monday, May 30, 2016
Internet voting video of the week - J. Alex Halderman at Enigma 2016
https://youtu.be/v6aUkan3R68
Download the presentation slides.
Labels: electronic voting, enigma2016, internet voting, links to video, online voting
Monday, May 23, 2016
Internet voting video of the week - Barbara Simons
https://youtu.be/Wv3VuGZzdK8
Labels: electronic voting, internet voting, links to video, online voting
Sunday, May 15, 2016
Internet voting video of the week - Andrew Appel
https://youtu.be/abQCqIbBBeM?t=14s
Labels: election history, electronic voting, internet voting, links to video, online voting
Wednesday, May 11, 2016
Internet voting video of the week - Tom Scott
https://youtu.be/w3_0x6oaDmI
Labels: electronic voting, internet voting, links to video, online voting
Sunday, June 07, 2015
Voting Machines
The electronic voting machine, a purely electronic kiosk where you vote, has many challenges.
The code that the machine runs must be correct (without significant bugs or errors), which is difficult (and expensive).
Worse, you must be certain that the code you have validated is actually the code it runs for every vote during the election, which is impossible. As in, literally impossible. The problem is, the only way to find out what code the machine is running is to ask it. Because machines are programmed by humans, machines can lie, just like humans.
Here's how it works:
2. Computer says "I am running the validated code"
2. Computer expert queries the computer about what code it is running
3. The malicious code lies and says "I am running the validated code"
This is not theoretical, this is exactly what a rootkit does.
So if the machine only records votes electronically, you can never be sure if your vote was correctly recorded. (This is not to mention the possibility of alteration during a long electronic chain of transmission to get to the final election results.)
The only way to verify your vote is to get a paper printout, so that you can look at the paper and validate that it shows your vote as cast. But again, remember the computer can lie. You can vote for party A, the computer can record the vote for party B and then print a paper receipt saying you voted for party A.
The only way to actually be certain of the vote count is to count the paper...
which means you just spent millions of dollars replacing a pen.
These are just the core issues, in an ideal system.
In reality, there are many more problems with voting machines. Although some were based on ATMs, ATMs are physically bigger, have a simpler job, have much clearer transactional validation (ask for $100, complain if you don't get $100), and have dedicated maintenance teams. While some voting machines were build by ATM manufacturers (like Diebold), the coding was rushed (at least we assume so, we don't get to see the coding), the machines are only used once a year at most, and the maintenance is done by amateurs who don't have the bank's monetary motivations for maintaining accuracy. In such a situation, voting machines can have many errors including:
* touchscreen misalignment
* coding errors
* introduction of malicious code e.g. via USB
* failure due to poor storage or aging out
* existing software vulnerabilities (particularly since most run Windows) that are uncovered during the lifetime of the machine but never patched, opening them to network or USB attack
The code that the machine runs must be correct (without significant bugs or errors), which is difficult (and expensive).
Worse, you must be certain that the code you have validated is actually the code it runs for every vote during the election, which is impossible. As in, literally impossible. The problem is, the only way to find out what code the machine is running is to ask it. Because machines are programmed by humans, machines can lie, just like humans.
Here's how it works:
Computer running the validated code
1. Computer expert queries the computer about what code it is running2. Computer says "I am running the validated code"
Computer running hacked code
1. Computer is hacked, adding malicious (lying) code to the validated code2. Computer expert queries the computer about what code it is running
3. The malicious code lies and says "I am running the validated code"
This is not theoretical, this is exactly what a rootkit does.
So if the machine only records votes electronically, you can never be sure if your vote was correctly recorded. (This is not to mention the possibility of alteration during a long electronic chain of transmission to get to the final election results.)
The only way to verify your vote is to get a paper printout, so that you can look at the paper and validate that it shows your vote as cast. But again, remember the computer can lie. You can vote for party A, the computer can record the vote for party B and then print a paper receipt saying you voted for party A.
The only way to actually be certain of the vote count is to count the paper...
which means you just spent millions of dollars replacing a pen.
These are just the core issues, in an ideal system.
In reality, there are many more problems with voting machines. Although some were based on ATMs, ATMs are physically bigger, have a simpler job, have much clearer transactional validation (ask for $100, complain if you don't get $100), and have dedicated maintenance teams. While some voting machines were build by ATM manufacturers (like Diebold), the coding was rushed (at least we assume so, we don't get to see the coding), the machines are only used once a year at most, and the maintenance is done by amateurs who don't have the bank's monetary motivations for maintaining accuracy. In such a situation, voting machines can have many errors including:
* touchscreen misalignment
* coding errors
* introduction of malicious code e.g. via USB
* failure due to poor storage or aging out
* existing software vulnerabilities (particularly since most run Windows) that are uncovered during the lifetime of the machine but never patched, opening them to network or USB attack
Labels: electronic voting, security, voting machines
Thursday, April 07, 2011
computers never make mistakes
They do exactly what people have told them to.
Like say a former computer programmer.
Who counts the vote on a stand-alone computer. In her office.
And discovers over 7500 extra votes due to a spreadsheet copy error.
Is this kind of farce how you want to run elections?
from August 13, 2010 Journal Sentinel - Officials dispute reliability of Waukesha County clerk's election data system
and what happened in 2011?
April 7, 2011 - Journal Sentinel - Prosser's huge gain comes after Waukesha County flub is caught
Now let us imagine this story told this way:
* for security purposes, the elections official has boxes containing all the votes, in her private office
* oh and she's an expert in creating ballots
* oh and she just discovered another box of ballots over there in the corner
Do you think any elections observer in the world would buy this?
But it's all done with computers, so I guess it's impossible there could be anything suspicious.
Human nature doesn't change.
And humans program computers.
And humans create the security for computers.
Computer security does not exist in the abstract. Computers do not defend themselves or program themselves. But somehow people think it is a realm beyond human emotion and failings. In the end it's systems created by humans, used by humans, that have to resist threats from humans.
This is what happens when you vote over the Internet:
* Someone with some credentials they got somewhere votes. Hopefully it's you, with your rightful credentials. But it could be anyone who gained valid credentials, anywhere in the world.
* These credentials are used to vote. This involves your computer, full of hundreds of competing programs created by fallible humans, interacting with a website created by humans, over a network built managed and run by humans.
* The vote... or at least a vote, lands on a server... somewhere, a server running thousands of pieces of human-created software. A server installed, controlled, and managed by humans.
So the good news is, as long as you can absolutely trust every one of the thousands of people involved in that chain, and all of the one billion people on the Internet can't outsmart their security, then your vote is fine.
And the above is all if it's done WELL, not if it's some bogus "the counting computer is in my back closet" ridiculously compromised chain of custody.
Or alternatively, you could set things up so local people from competing political parties are watching one another, mark the votes on paper, watch the ballot box containing the votes, and count all the votes in public. In minutes (for a Canadian election).
So your choice is:
1. If you trust everyone who has ever created or maintained any device or software in the chain from your keyboard to the vote-counting server, and everyone with access to the server room, and everyone else in the world who is on the Internet, then Internet voting is a great choice.
2. If you trust people from your neighbourhood who have the very human motivation of competing interests, with a process that is visible to you end-to-end, and immediate local consequences if fraud is found, then you might want to vote on paper instead.
We are very very good at understanding voting risk scenarios in the physical world. We are very very bad at understanding risk in the digital world.
Where would you rather have your voting taking place?
Like say a former computer programmer.
Who counts the vote on a stand-alone computer. In her office.
And discovers over 7500 extra votes due to a spreadsheet copy error.
Is this kind of farce how you want to run elections?
Waukesha County Clerk Kathy Nickolaus' decision to go it alone in how she collects and maintains election results has some county officials raising a red flag about the integrity of the system.
Nickolaus said she decided to take the election data collection and storage system off the county's computer network - and keep it on stand-alone personal computers accessible only in her office - for security reasons.
"What it gave me was good security of the elections from start to finish, without the ability of someone unauthorized to be involved," she said.
Nonetheless, Director of Administration Norman A. Cummings said because Nickolaus has kept them out of the loop, the county's information technology specialists have not been able to verify Nickolaus' claim that the system is secure from failure.
...
In March, Nickolaus said, she moved the data off that server and into her own stand-alone system. She has a backup on a second computer, she said. In addition, she said, as she programs for elections, she does frequent backups during the day.
Nickolaus said she was a programmer for 15 years before becoming county clerk. And she said her staff knows how to operate the system, so "if I get hit by a bus, this election is going to run just fine."
from August 13, 2010 Journal Sentinel - Officials dispute reliability of Waukesha County clerk's election data system
and what happened in 2011?
David Prosser gained 7,582 votes in Waukesha County, after a major counting error of Brookfield results was detected, County Clerk Kathy Nickolaus announced in a stunning development this afternoon.
Nickolaus says the reason for the big change is that data transmitted from the City of Brookfield was imported but that she failed to save those results to the database. Brookfield cast 14,315 votes on April 5 -- 10,859 of those votes went to Prosser and 3,456 went to JoAnne Kloppenburg.
"The purpose of the canvass is to catch these kind of mistakes," Nickolaus said. She called it human error that is "common in this process." "I apologize," Nickolaus said.
April 7, 2011 - Journal Sentinel - Prosser's huge gain comes after Waukesha County flub is caught
Now let us imagine this story told this way:
* for security purposes, the elections official has boxes containing all the votes, in her private office
* oh and she's an expert in creating ballots
* oh and she just discovered another box of ballots over there in the corner
Do you think any elections observer in the world would buy this?
But it's all done with computers, so I guess it's impossible there could be anything suspicious.
Human nature doesn't change.
And humans program computers.
And humans create the security for computers.
Computer security does not exist in the abstract. Computers do not defend themselves or program themselves. But somehow people think it is a realm beyond human emotion and failings. In the end it's systems created by humans, used by humans, that have to resist threats from humans.
This is what happens when you vote over the Internet:
* Someone with some credentials they got somewhere votes. Hopefully it's you, with your rightful credentials. But it could be anyone who gained valid credentials, anywhere in the world.
* These credentials are used to vote. This involves your computer, full of hundreds of competing programs created by fallible humans, interacting with a website created by humans, over a network built managed and run by humans.
* The vote... or at least a vote, lands on a server... somewhere, a server running thousands of pieces of human-created software. A server installed, controlled, and managed by humans.
So the good news is, as long as you can absolutely trust every one of the thousands of people involved in that chain, and all of the one billion people on the Internet can't outsmart their security, then your vote is fine.
And the above is all if it's done WELL, not if it's some bogus "the counting computer is in my back closet" ridiculously compromised chain of custody.
Or alternatively, you could set things up so local people from competing political parties are watching one another, mark the votes on paper, watch the ballot box containing the votes, and count all the votes in public. In minutes (for a Canadian election).
So your choice is:
1. If you trust everyone who has ever created or maintained any device or software in the chain from your keyboard to the vote-counting server, and everyone with access to the server room, and everyone else in the world who is on the Internet, then Internet voting is a great choice.
2. If you trust people from your neighbourhood who have the very human motivation of competing interests, with a process that is visible to you end-to-end, and immediate local consequences if fraud is found, then you might want to vote on paper instead.
We are very very good at understanding voting risk scenarios in the physical world. We are very very bad at understanding risk in the digital world.
Where would you rather have your voting taking place?
Labels: electronic voting
Sunday, March 06, 2011
organise online, act offline
... security and reliability problems have plagued the rollout of both electronic, kiosk-based, voting and Internet-based vote-from-home technologies in the United States. Annual political elections are hard enough to run without introducing yet more possibilities for voter fraud and abuse. Instead, new services, such as Smartvote.ch from Switzerland, use the Internet to inform voting at the polling booth.
Dr. Beth Noveck, Professor of Law - writing in her book Wiki Government, page 35
Dr. Noveck was United States Deputy Chief Technology Officer (2009-2011) and leader of the White House Open Government Initiative (@opengov). She tweets at @bethnoveck and blogs at http://cairns.typepad.com/
Labels: electronic voting, internet voting
Tuesday, October 26, 2010
CNN reports on voting tech
"Use of any touch-screen voting machine is the equivalent of a 100% faith-based election. No votes cast during an election -- none -- can be verified as having been accurately recorded on such systems. Ever."
CNN - Analysis: Our votes are counted accurately -- aren't they? - By Dave Schechter - September 30, 2010
The quote comes from Brad Friedman of The Brad Blog - Pac-Man Hacked Onto a Touch-Screen Voting Machine Without Breaking 'Tamper-Evident' Seals - August 21, 2010
Incidentally, this statement also applies to Internet and telephone voting.
Labels: electronic voting
legal perspective on e-voting
A couple good articles popped up yesterday:
* Electronic Voting and the Law: It’s Not Like E-Banking by John Gregory in Slaw ("Slaw is a cooperative Canadian weblog on all things legal")
Includes a nice section dismantling the "if we can bank electronically why not vote electronically" idea, including
* Editorial: Time to consider municipal election reform by Glenn Kauth in Law Times
Takes on the "electronic voting will help voter turnout" myth.
* Electronic Voting and the Law: It’s Not Like E-Banking by John Gregory in Slaw ("Slaw is a cooperative Canadian weblog on all things legal")
Includes a nice section dismantling the "if we can bank electronically why not vote electronically" idea, including
Banking: If someone has tampered with bank records (or the system malfunctions), the participants can restore balance by transferring money to where it belongs. The legal system allocates loss according to negligence, or by statute, among innocent parties if the rogue can’t be found.
Voting: If someone has tampered with the election results (or the system malfunctions), it is very difficult to restore normality without running the election again, even if one can find the rogue. The rogue is never able to restore things to where they should be.
* Editorial: Time to consider municipal election reform by Glenn Kauth in Law Times
Takes on the "electronic voting will help voter turnout" myth.
previous elections have shown that few people actually decide to cast a ballot. So finding new ways to get them out to the polls seems like a good idea.
But in Calgary, we’ve already seen what it takes: an exciting election with inspiring candidates.
Labels: canada, citizen engagement, electronic voting, internet voting
Monday, February 01, 2010
Ireland ponders how to dispose of its voting machines
Ireland jumped into the electronic voting arena, acquiring 52 million euros worth of equipment... and then determined the risk of using them was too high. So now they're stuck.
Times Online - Voting machines to be cast out - January 24, 2010
Previously:
February 10, 2005 understanding the true costs of voting machines
February 07, 2005 Ireland does things right
February 03, 2005 Canadian e-voting officials, behold your future: Ireland
Eight years after they were acquired for €52m, the government wants to return 7,500 barely used electronic voting machines to their manufacturer.
John Gormley, the environment minister, announced last March that he had set up an inter-departmental taskforce to deal with the disposal of the machines, after deciding they would never be used to count votes in an Irish election.
Times Online - Voting machines to be cast out - January 24, 2010
Previously:
February 10, 2005 understanding the true costs of voting machines
February 07, 2005 Ireland does things right
February 03, 2005 Canadian e-voting officials, behold your future: Ireland
Labels: electronic voting, ireland
Friday, December 18, 2009
Canadians support online voting?
Very active discussion (over 400 comments at the time of this writing) on CBC News story Canadians support online voting: poll (with the usual Internet comment range between somewhat thoughtful and incoherent ranting)
Here's the comment I left:
In the poll, released exclusively to CBC: Power & Politics, Canadians were asked if Elections Canada offered a safe way of voting on the internet, how likely is it that they would use it.
Around 49 per cent of respondents said they were very likely and 15 per cent said they were somewhat likely.
Here's the comment I left:
Information on the Internet is just a click away. This issue has been well-studied by computer security experts. One part of it comes down to this magic phrase "a safe way of voting on the internet". That is probably impossible in the real world, outside of the confines of computer science theory. I know some will respond "online banking is already secure" but 1) it isn't & 2) banking has a completely, totally different set of threats and necessary security measure from voting
One good starting point is the Computer Technologists' statement on internet voting http://www.verifiedvoting.org/article.php?id=5867
"Election results must be verifiably accurate -- that is, auditable with a permanent, voter-verified record that is independent of hardware or software. Several serious, potentially insurmountable, technical challenges must be met if elections conducted by transmitting votes over the internet are to be verifiable. There are also many less technical questions about internet voting, including whether voters have equal access to internet technology and whether ballot secrecy can be adequately preserved."
I want to draw attention to that phrase: "potentially insurmountable". Given that paper voting works well now, is easy to understand, and is quick to count, would you rather stay with that, or try a system that computer experts say may be impossible to create? One which even if it solved the technical problems, would still have no solution for the secrecy of your ballot, a sacred right of democracy. Voting integrity is not theoretical. We know that votes were compromised in Iran and Afghanistan. Now imagine instead of paper votes and people in the streets, it had all taken place electronically? You would never know if the results reflected the votes cast.
Labels: canada, electronic voting, internet voting
