Paper Vote Canada

This is the raw text of my @papervote tweets from the Elections Canada Internet Voting dialogue. (I'm archiving here because these will disappear from Twitter eventually, and also because I realise many of you prefer to get the text here rather than following in real-time or trying to page through Twitter.)

I have flipped the order so it is more readable - it's oldest first.

First tweet is at 8:54 AM Jan 26th 2010 and last one was at 4:56 PM Jan 26th 2010.
There are a total of 276 tweets.

BEGIN TWEETS

am set up on tethering and will be liveblogging under hashtag #ivotecan - there is a media section here but I only see one person so far

Elections Canada communications has very graciously allowed me to sit at the media table and get power for my netbook. #ivotecan

event is being opened #ivotecan - Elections Canada speaker up next

2/3 of Canadians likely to vote online according to recent survey - Elections Canada #ivotecan

lessons Canada can learn from other jurisdictions within Canada and outside Canada #ivotecan

Elections Canada pilot project will test secure voting via Internet for selected groups eg disabled, Canadians in other countries #ivotecan

Elections Canada emphasizing convenience of Internet voting - but "must maintain level of integrity that Canadians expect" #ivotecan

"Internet voting as an online service" #ivotecan - Elections Canada

Group is working on consistent cross-level standards (provincial, national etc.) #ivotecan

members of parliament and other experts reported to be in audience #ivotecan

Prof. Alvarez up next #ivotecan

Prof Alvarez and audience #ivotecan http://twitpic.com/zuo00

Alvarez will talk about American experience, upsides and downsides #ivotecan

Rationale for Internet Voting: evolution in US from handcounted to optiscan to paperless (nonnetworked and networked systems) #ivotecan

electronic technologies also used throughout the elections process in the United States #ivotecan

defining Internet voting: transmission of ballot over network - references his book One Click One Vote #ivotecan - public elections context

EDITORIAL NOTE: I misheard Alvarez, the book is actually Point, Click and Vote: The Future of Internet Voting. He has also written other books on the topic. END EDITORIAL NOTE

both home computer as well as kiosk Internet voting #ivotecan

Why innovate election tech? - turnout, accessibility, security (!), accuracy (!), efficiency, international access, cost #ivotecan

"How can these technologies improve the efficiency and reduce the cost of election administration?" #ivotecan

American experience - elections have vastly decentralised administration - run at the county level - not national #ivotecan

American experience - "complexity of ballots, regulations and procedures" #ivotecan - may be "dozens and dozens" of items

American experience - multiplicity of ballots, in different languages, covering huge number of items to vote upon #ivotecan

American experience - 2000 Presidential election - controversies have continued about use of electronic voting tech #ivotecan

American experience - California Internet Voting Task Force (2000) - has shaped a lot of US thinking #ivotecan

American experience - Internet voting - Alaska Republican party (Jan 2000) - Arizona Democratic party (March 2000) #ivotecan

Internet voting in 2000 Presidential election - 6 million Americans overseas (military, gov etc.) - special voting rights #ivotecan

international voting - mail transit time to and from e.g. Iraq is a big concern - Internet voting reduces transit time #ivotecan

2000 experiment was a proof of concept - focus on feasibility - electronic version of mail voting system #ivotecan - limited # participants

US international Internet voting used PKI credentials for authentication #ivotecan

not a lot of data - 91 registered, 84 voted using international Internet voting system for US in 2000 #ivotecan

"no security breaches found" for 2000 international Internet vote for US #ivotecan

followup: SERVE - Secure Electronic Voting Registration and Voting Experiment - planned to involve as many as 100,000 #ivotecan

SERVE wasn't implemented because in early 2004 study by computer security experts caused it to be cancelled #ivotecan

in early 2004 Michigan Democratic Party allowed online voting - 28.57% online votes of 162,000 votes total #ivotecan

"Controversies regarding electronic voting machines in 2004 and 2006 elections" #ivotecan

"Election admins and stakeholders reluctant to take on risks associated with voting pilots experiments or transitions to new tech" #ivotecan

ODBP - Okaloosa Distance Balloting Project, implemented in 2008. Kiosk voting for UOCAVA citizens at 3 international locations #ivotecan

there were a few problems with Okaloosa tech but tiny number (<100) voters #ivotecan

use of kiosks means you can ensure the kiosk is secure, rather than using insecure personal computers #ivotecan

(for tests) "Without better scientific design, most of the important outcome variables are difficult to assess" including security #ivotecan

"insufficient data collected" based on US Internet voting experiments to date #ivotecan

Security: What are the real vulnerabilities? How can you mitigate vulnerabilities? Need real experiments #ivotecan

next up: panel on Canadian experiences with Internet voting #ivotecan

Nicole Goodman of Carleton moderating and introducing the panel, which will discuss Canadian municipal Internet voting #ivotecan

first up: Markham's Online Voting Experience by Kimberly Kitteringham and Andrew Brouwer (Town Clerk & Deputy Town Clerk) #ivotecan

Markham Internet voting: 2006 election and plans for 2010 #ivotecan

80% of Markham residents have high-speed Internet access #ivotecan

Why online voting: electronic service delivery, multichannel service delivery, changing lifestyles, "new electorate", convenience #ivotecan

municipal turnout hovered around 30% - Internet voting a channel to encourage participation in voting process #ivotecan

online voting a way to enhance participation by people with disabilities #ivotecan - equal access to the electoral process

2003 positive Internet voting experience positive, recommended online voting for 2006 #ivotecan

Principles identified: security, accuracy, privacy, authentication/verification #ivotecan

Independent Risk Analsys by Henry Kim of York University; Gartner Group security review of IT platform #ivotecan

Dr. Kim found "similar reasonable risks" with two-step voting to in-person voting, and better characteristics than mail-in voting #ivotecan

Partnered with Election Systems & Software (ES&S) for provision of online voting; security of platform verified by Gartner Group #ivotecan

Comprehensive communications plan about Internet voting / voter awareness provided by Delvinia Interactive #ivotecan

2006 online voting only available during early voting period #ivotecan

reporting positive numbers >75% satisfaction from Delvinia survey #ivotecan found it convenient, voted from home

approx 6000 voted online in 2003, approx 10,000 voted online in 2006 #ivotecan

Change in online voting: earlier campaigning, be clear about ID requirements, change in nature of scrutineer function #ivotecan

scrutineers obviously cannot see voters receive and cast their ballot, unlike in-person voting #ivotecan

2010 Markham issuing RFP for online and tabulator vote systems - 3rd party review of online voting security - access plan #ivotecan

Markham "online voting viewed by staff as continued opportunity for service excellence and civic engagement" #ivotecan

Halifax Regional Municipality (HRM) Internet voting experience next up #ivotecan
Cathy Mellet, Acting Clerk/Manager, HRM #ivotecan

HRM covers large physical area, estimated to have population over 410k by 2012 #ivotecan

4 year "e-voting journey" starting in 2004 - Jan 2007 council approved Internet/phone advance voting with "2 levels of ID verify" #ivotecan

discussing mitigating risks while taking advantage of opportunities #ivotecan

RFP in 2007, selected Intelivote for HRM #ivotecan - had to change Municipal Elections Act and HRM by-law to permit

2008 event demographics 279,000 electors; advance voting: 10% of eligible, 28% of votes cast, 88% used Internet. #ivotecan

"engagement matters to voters" HRM #ivotecan

Principles Balance: accessibility vs scrutiny, engagement vs. integrity, convenience vs security... #ivotecan

objectives: ensure integrity, ensure compliance with regulations... #ivotecan

Partnership with Elections Nova Scotia & vendor #ivotecan

HRM election system & data transfer to vendor #ivotecan - also needed support/help centre and contingency plan

something about firewalls but presentation is going way too fast for me to keep up #ivotecan

voter identification "2 shared secrets" - mailed out password + voter birthdate #ivotecan

Sept 2009 special election - "complete internet voting from advance voting to election day" - "realtime voters list", kiosk #ivotecan

"substantially increased turnout" for special election (30% vs. 10% in previous special elections) HRM #ivotecan

e-voting works, well received, cost effective, greener #ivotecan

Jon McKinstry, Sales Manager, Dominion Voting Systems - presenting City of Peterborough story #ivotecan

Peterborough population 75,600. Internet voting 4400 registered, 3500 cast a vote, total 7% of votes were cast over Internet #ivotecan

if you registered for online but didn't vote over Internet, you could still come and vote in person #ivotecan

reasons: leader in delivery of voting systems, embrace tech, increase voter participation, adapt to changing lifestyles #Ivotecan

spike in demographics for Internet voting actually people 40-50, didn't actually have a peak in younger voters #ivotecan

needed realtime strikeout of voters list so that you couldn't vote online and then vote again in person #ivotecan

wanted a system that would consolidate votes from optical scan and internet voting #ivotecan
Principles: ... going too fast for me to keep up #ivotecan

independent security audit of Dominion Voting by Digital Boundary Group (London, Ontario) #ivotecan

again a shared secret system with the secret being the year of birth being the "secret" along with a preselected q/a #ivotecan

PIN number through regular postal mail or encrypted email #ivotecan

audit: password strength, denial of service, injection, ensure intrusion detection in place, system security vulnerability scans #ivotecan

audit reported "Dominion system was a very secure solution" #ivotecan

vote: elector ID + PIN number, separate website, answer preselected question set at reg time, ?enter birthdate? (not mentioned) #ivotecan

Peterborough - ease of use - could cast ballot for 5 days, 24 hours a day #ivotecan

election help desk as well as 1-800 call centre provided by vendor #ivotecan ("about 100 calls came in")

computers also provided at city hall, library, other sites #ivotecan

enhanced features: accessible ballot with zoom, audio, JAWS compatibility #ivotecan

Lessons learned: important for officials to have "complete understanding" of process and technology #ivotecan

Lessons: important to have dedicated marketing, increase number of laptops, run longer (from advance to election day) #ivotecan

approx 15 minutes for questions #ivotecan

am sitting next to @punditsguide

Q to panel from @punditsguide : privacy - 1 destruction of e-ballots? (e-ballot could be
linked back to individual) #ivotecan

Q to panel from @punditsguide : 2 what about voters being coerced at home #ivotecan

Markham: unsupervised voting - one person in a household could do all the voting - part of the risk assessment ... #ivotecan

Markham: unsupervised voting "a risk we were willing to accept" - used education about one person, one vote, secrecy of vote #ivotecan

?Markham? - how are online ballots handled - retained for same duration as paper ballot #ivotecan

?Markham? - paraphrase: no way to connect an individual voter to how they voted in the system #ivotecan

HRM - created substantial penalitys ($10k, 2y in jail) for voter fraud, collusion, or influencing #ivotecan

HRM - asked for certificate of destruction for online ballots from vendor #ivotecan

HRM - "two separate systems" that ensure no connection between voter and votes cast #ivotecan

Q City of Toronto: How do you handle recounts? #ivotecan

Halifax - recount = paraphrase "reopen the encrypted file and look at the data points" #ivotecan

Q City of Toronto: do you capture a (screen) image of the vote as cast? A from HRM: no we just record a data point #ivotecan

A on recount from Markham: "an electronic recount of an electronic vote" #Ivotecan

something about "data as recorded when polls closed and put on memory stick for auditor" ? #ivotecan

Jeremy Clark from Waterloo - privacy question - what kind of data is kept about timing of votes - ... #ivotecan

Jeremy Clark... if you keep timing info you can look at vote time and vote recorded and correlate to figure out who cast what vote #ivotecan

answer from panel: timing is kept, it is a risk but ... someone internal would have to do this attack #ivotecan

Q from Elections Ontario: is a preaudit done - is it possible to test the system before event - and is there postevent test #ivotecan

A from HRM - "audit ballots" cast before, during and after election #ivotecan - realtime tests of the system

A from Peterborough - security tests in advance, intrusion tests etc. #ivotecan

A from Markham: similar process to Halifax #ivotecan

Q: load testing? A from HRM: yes, Oracle platform not even stressed, a non-event. Markham: similar to Halifax #ivotecan

Q did you survey people who didn't use the system? do you know why people registered to vote online but didn't? #ivotecan

A from Markham: survey appeared online right after you voted online #ivotecan

EDITORIAL NOTE: At this point I hit an unexpected Tweet cap for a new account (128 tweets). For the rest of the morning I had to move to liveblogging on FriendFeed. I will try to integrate that reporting here later, but for now you can see it by paging through http://friendfeed.com/electronic-voting-in-canada (which also includes some of these tweets)
END EDITORIAL NOTE

tweeted so much, so fast, from this new account that I got temporary twitter lockout. morning reporting at: http://bit.ly/84ynMb #ivotecan

@kirkschmidt there was a Q "risk of internal staff", the response from HRM was "this is a risk we've always had to deal with" #ivotecan

@pmarchi No one has a good (technical) answer to the coercion issue. HRM made coercion "more illegal" with $10k fine, 2y prison. #ivotecan

Just wanted to mention @punditsguide has been doing a great job of tweeting this very fast-moving event. #ivotecan

@jasonkitcat Yeah and in fact several speakers have said convenience mostly helps save existing voters time, no big turnout boost. #ivotecan

I have blogged a brief summary this this morning's very fast, info-packed set of presentations: http://bit.ly/aqPSjY #ivotecan

Tech considerations session presenters: marketer, vendor, open-source guy, tech guy (Peter Wolf of IDEA, Masters in Computer Eng) #ivotecan

Tech considerations panel: Peter Wolf stuck in snowstorm in Frankfurt or something. #ivotecan Projector also not working (tech irony).

Wolf's notes: trust, transparency, but no external evidence of system's correct operation. Hence systems depend on public trust. #ivotecan

Wolf asserts you must then extend greater trust to the entire electoral system as well as have auditors #ivotecan

Wolf: Internet voting - client computer - "nobody can know if this computer can be trusted" #ivotecan

Wolf: observers would like to get insight into operation of systems, and computer security experts may be fundamentally opposed #ivotecan

It's too bad Wolf isn't here, because his notes raise many excellent points. #ivotecan

Wolf: trade secrets may block trust in system, ability to observe operation, due to black boxes e.g. operating systems, code #ivotecan

Wolf: Opening the Black Box. Norway - public access to source codes. Council of Europe - certification guidelines / standards #ivotecan

My editorial comment: it doesn't matter if your source code is open, you can't prove that's the code that is running. #ivotecan

Wolf: commercial vendors were willing to divulge codes if made a condition of Internet voting contracts #ivotecan

Wolf: lack of common standards for certification - issue recognized by Council of Europe #ivotecan

Wolf: sequoia source code released in USA (editor's note: just google that term to find out the results of analysis of the code) #ivotecan

Adam Froman: Delvinia Interactive - marketer/comms for Markham Internet voting #ivotecan

Adam Froman admits up front he doesn't know or care about the technology. He's going to talk about the voter experience. #ivotecan

Delvinia got CANARIE grant to study the use of broadband tech for municipal services - brought $200k to the table for Markham #ivotecan

@zippyFX it's not hard to write a trojan that sends a response back claiming to be the correct software

Delvinia positioning Internet voting as an option, not a replacement for traditional paper vote #ivotecan

Delvinia studied voter attitudes. And also worked on the voter outreach. Including education about registration changes #ivotecan

Delvinia - 2003 - interactive guides - but there's a general need for voter education, regardless of whether they're voting online #ivotecan

Delvinia - web site satisfaction survey - postpolling, online surveys #ivotecan

[ED COMMENT:] In case people don't know Canadian system: scrutineers from all parties watch the open counting of the paper ballots. Many eyes. #ivotecan

Delvinia - with advanced poll, sometimes politicians would show up at people's doors and discover they had already voted #ivotecan

Delvinia: voter registration process was main barrier to Internet voting #ivotecan

@zippyFX the trojan hides in the query stream and lies. Gives the correct CRC, size, response. See e.g. rootkits.

over 90% of people who voted online in Markham said they would be interested in voting in Federal election #ivotecan

Delvinia guy makes "tech is a part of people's lives" argument #ivotecan My counterargument: educate them about the risks of Internet vote.

Delvinia has a point that the new political engagement is a "digital dialogue" with citizens. Engagement beyond vote #ivotecan

Editorial comment: don't mix social media engagement with the need to secure one-time voting experience #ivotecan

Dean Smith of Intelivote also says he will not talk about the tech side of things at all #ivotecan Small Nova Scotia company.

getting sales pitch for Intelivote now #ivotecan

Intelivote assists in writing electronic voting legislation for countries (!) #ivotecan

Intelivote - integrated polling stations, telephone and Internet voting #ivotecan

Intelivote - pitch is "more choice" #ivotecan

talking about components of election system: help center, auditors, Intelivote control, electors, candidates, officials #ivotecan

components of election system diagram shows "Intelivote system" in centre of everything, which kinda freaks me out #ivotecan

Intelivote considers it a benefit that you can vote from anywhere in the world #ivotecan

Intelivote - anecdotal report about first time visually disabled voters were able to cast vote on their own thanks to technology #ivotecan

Intelivote - 2009 by-election "almost 70% voted electronically" is I think what he said #ivotecan

33 municipal elections in Ontario used Internet and/or phone voting #ivotecan "Canada as a leader" rhetoric coming from Intelivote

Speaking of rhetorical questions: Intelivote - "Why are Canadians so open to eVoting?" #ivotecan

Intelivote pitch: choice, flexibility, immediate, auditable results, voter intent clear - no spoiled ballots, enviro friendly #ivotecan

Intelivote pitch (continued): don't have to staff polling stations #ivotecan

Jason Gallagher: open source vs. propriety in 10 minutes or less #ivotecan

err vs. proprietary that is #ivotecan

defines source code #ivotecan

Gallagher explains in proprietary code, you never get to see the source code #ivotecan

looks like @punditsguide has hit a status update limit as well. have directed to http://friendfeed.com/electronic-voting-in-canada

Gallagher explaining open source software - allows peer review of software, no vendor lockin, gives rights to software users #ivotecan

Gallagher: free to modify open source, don't have to rely on vendor #ivotecan

Gallagher: why open source for voting - transparency, not a black box, accountability, auditability, security #ivotecan

Gallagher: how can shared source code be secure? paraphrase "many eyes make bugs shallow" - don't rely on secrets #ivotecan

Gallagher: there will always be hackers, but if your system is open, you also allow people to help you to improve #ivotecan

Gallagher: proprietary advantages - ready made ./ off the shelf, someone to blame if it goes wrong #ivotecan

Q from ? Alex Sussex ? Univ of Ottawa: everyone can witness paper ballot tally. "you can't actually see software occuring" #ivotecan

Q (continued): what role do candidates play in the observability of the tally? #ivotecan

Q (continued): you don't know what's going on inside the system... what role do candidates play to convince the voters #ivotecan

A from Intelivote: candidates want to be involved... the module shows people being struck off the voters list as they vote #ivotecan

A from Intelivote: no equivalent role for scrutineers in electronic world - no recount #ivotecan

A from Delvina: you're asking the wrong question. Should be "What would you need to see equivalent to paper voting?" #ivotecan

Editorial comment: there is no equivalent to observing the internals of the system analogous to scrutineer role #ivotecan

A from computer security researcher who asked original question: "there are new ways that allow voters to engage in the auditing" #ivotecan

Intelivote: system observing itself is "placebo effect" - one electronic process is observing another electronic process #ivotecan

Intelivote does allow peer review of its code #ivotecan

Intelivote uses randomization to avoid matching timestamps to determine who voted for whom #ivotecan

Q: how do panel see Internet voting rolling out across Canada #ivotecan

A from Intelivote: says Canada (and by extension Intelivote) has reputation and experience #ivotecan

Delvinia guy says you can use open source if you have the resources to build the solution #ivotecan

Editorial summary: Intelivote guy argues "reputation and experience", Delvinia guy argues "it's inevitable anyway" #ivotecan

Q from Elections Quebec: is there established, audited open source software available #ivotecan

A: one example in Australia, project has since been cancelled. Professor found error in source code. was fixed. #ivotecan

A from Tarvi: not about open source - about auditability and transparency. Estonia does not publish its source code. #ivotecan

A from Tarvi: Estonia ready "at any second" to sign NDA and provide code for auditing purposes #ivotecan

A from Tarvi about client side code: could be very easy to create malicious client side app - don't give out client side code #ivotecan

A from the audience: more open source - Scantegrity open source system, open voting consortium, ?OSEB? - DRE software #ivotecan

break and then roundtable discussion #ivotecan

observations from Alex Treschel - should do trials, with Canada-specific-research and analysis of the results #ivotecan

Alex Treschel - make sure you are not generalising from very small data sets or experiments #ivotecan

Alex Trechsel - cautions against generalising even from e.g. Halifax to other Canadian municipalities #ivotecan

Tom Hawthorn - when is it right to move? should we lead new tech (in elections) or follow well established technologies? #ivotecan

Tom Hawthorn - experience in UK was that perhaps they hadn't thought things completely through #ivotecan

Tom Hawthorn but if you wait too long, you may miss an opportunity #ivotecan

Tom Hawthorn - need to understand who is driving the process, who is holding the budget - better if electoral admins drive #ivotecan

Tom Hawthorn - place development of voting systems / software in an international context rather than individual countries #ivotecan

Tom Hawthorn - should develop common understanding and set of benchmarks #ivotecan

Tarvi Martens - electoral system is about trust. holds the same for evoting as for paper. #ivotecan

Tarvi Martens - example of failure in Netherlands. example of failure in Lithuania due to suggesting banking credentials #ivotecan

Tarvi Martens - example of failure in ?Finland? - if you screw up deployment, you will be set back a decade or more #ivotecan

Tarvi Martens - if the deployment of your system, including the user part, does not build trust, you will fail #ivotecan

Tarvi Martens - asserts user identity is critical to system (not surprising since he is expert on computer credentials) #ivotecan

Tarvi Martens - password based systems or weak credentials are easy to attack #ivotecan

Tarvi Martens - if people succeed in compromising your system, you will have a huge setback in trust #ivotecan

Jon Pammett: a wide variety of "policy laboratories" in Canada for Internet and other voting systems experimentation #ivotecan

Jon Pammett: not an expert in tech, wondering if Internet voting will increase turnout, but it seems based on today it won't #ivotecan

Jon Pammett: Internet voting doesn't appear to address voter engagement, which is the true driver of turnout #ivotecan

Jon Pammett: concerned about (my words) consequences of Internet voting road not taken #ivotecan

[ED COMMENT:] argument from panel that mixes "tech use" with youth. In my opinion, this is a false mix. Young people are not tech experts. #ivotecan

Editorial comment: I think there needs to be better research into what actually drives voting, rather than speculating #ivotecan

Q from @punditsguide: Canada examples are municipalities which are low turnout, not highly contested elections #ivotecan

Q @punditsguide: how will this work in a much more competitive election where votes are closer #ivotecan

Q (U Calgary): assess evoting based on increased efficiency? (code for saving money) - but if used in advance voting... #ivotecan

Q (U Calgary, contd) will increase cost of elections without noticeable effect on voter turnout? #ivotecan

Q (U Calgary, 2nd question): where research has been done on impact by age, no positive impact in bringing youth vote #ivotecan

Q (U Calgary, 2nd q): seems that Internet vote is mostly middle-aged turnout. #ivotecan

Q (U Calgary): seems like greater cost and no greater turnout - then what is justification for Internet voting? #ivotecan

A (Jon): age profile data is from municipalities - young people not engaged in municipal politics #ivotecan

@jasonkitcat seems to be a dialogue between desire for turnout and issues about trust #ivotecan

A (Jon): in competitive elections - possibly true people would be more likely to attack systems #ivotecan

A (Alex): in competitive elections higher risk - try it out in less competitive contexts too (and remember Swiss cap evote at 10%) #ivotecan

A (Alex): (not exact quote) "doesn't cost that much, comparitively" for "making people happier in democracy" #ivotecan

A (Alex): also remember youth never had high turnout, but it is dramatically low in e.g. Canada #ivotecan Internet voting not a panacea

A (Tarvi): to use Internet voting in Federal election for the first time is a bad idea - start small #ivotecan

A (Tarvi): Estonia formed a group of IT security experts, every step was security, security, security #ivotecan

A (Tarvi): Estonia knew exactly the potential failure points, the risks #ivotecan

A (Tarvi): if you haven't done your security due diligence, hackers can expose issues and destroy trust in your system as in NL #ivotecan

A (Tarvi): if you reuse your system, then over the long term the costs are lower #ivotecan

A (Tarvi): Internet voting not to increase turnout, it's to PRESERVE the turnout #ivotecan

A from Markham: cost for Internet voting were "quite small", "reasonable" #ivotecan

A from Markham: did see increased turnout #ivotecan not enough data to attribute directly to Internet voting

A from Markham: hackers "a cynical argument" against Internet voting, look at opportunities instead #ivotecan

A from HRM: if you can decrease the number of poll locations you decrease cost and "risk" (training / staff risk) #ivotecan

Comment (Nicole Goodman?): We don't know how any particular Internet voting model will work in any jurisdiction, need trials #ivotecan

Comment: yes there will be a large upfront cost, and there should be since it needs to be done right #ivotecan

Comment: cheaper over the long term #ivotecan

Comment: we can't fix turnout with Internet voting but there is no one solution, young people are not homogeneous group #ivotecan

Editorial comment: cheaper over time is hard considering you need 24/7 physical & net security for data centre 365 days/yr #ivotecan

Q: what are the main arguments against Internet voting? #ivotecan (other than security)

Q (Elections Canada): can academics map when a region is "mature" enough to go on an Internet voting route #ivotecan

A (Tom): Germany ruled use of Internet voting unconstitutional as it was inherently un-understandable by avg citizen #ivotecan

A (Tom): no one knows what the cost model is going to be in the future. may see some new kinds of costs #ivotecan

A (Tom): new costs = auditors, consultants, security experts - could be very expensive #ivotecan

A (Tom): most people in elections systems are not experts in electronic systems / security design - maybe they need to be #ivotecan

A (Tarvi): in Estonia Internet voting was challenged about uniformity of voting #ivotecan

A (Tarvi): ruling was that multiple times to vote over-rides privacy concerns (not sure I understand his answer) #ivotecan

A (Alex): groups in Geneva were strongly opposed to Internet voting (computer security experts) #ivotecan

A (Alex): in Geneva they engaged in a dialogue with the computer security experts #ivotecan
http://www.e-voting.cc/ - Internet voting conference, models #ivotecan

A: an argument against Internet voting - voting in person is a communal experience #ivotecan

Editorial comment: first mention today of compulsory voting as a direction for turnout and
engagement #ivotecan

audience comment: 8 million voters in Ontario, 800000 will be voting "electronically" - "it's happening" #ivotecan

I think it's the Intelivote guy: cost savings of electronic voting #ivotecan

aaaand we're done #ivotecan

@jasonkitcat I didn't get a strong sense of a driver other than "seems like a good thing to try"

@punditsguide good to meet you as well

END TWEETS

Labels: elections canada, internet voting, ivotecan

I liked that the municipalities, particular Halifax Regional (HRM) talked about a risk mitigation framework, but I don't think they fully appreciate the degree of risk they're accepting, particularly since they're using third-party technology from private companies.

I was most impressed with Tarvi Martens' presentation about the technical details of the Estonian Internet voting system. They have clearly thought very seriously about the various issues involved, and have very very heavy physical security for the data centre, and no remote admin access outside the datacentre. He also emphasized they had a principle of "no black box systems" in the data centre, so they use Debian, an open source operating system, rather than Windows. The fact they have a national ID card addresses the key distribution and network encryption issues (because the ID card includes an encryption key, a public/private digital signature key). They also put ISPs on high alert during the election period and monitor continuously for attacks.

I did ask him the security of the user's desktop and his answer was reasonable but to me, ultimately still unsatisfactory. They are using what I assume are honeypot systems to monitor for emerging trojans that pretend to be some component of the desktop voting system (or presumably the ecard reader driver etc.) They also have as the first step of their voting procedure that the user should ensure their system is scanned for viruses. However there are multiple issues including the innumerable vectors for home system attack, the fact that most users WON'T secure or scan their systems no matter how often you educate them about the issue, and the possibility for root kit or other subtle elusive trojans that might not be picked up by their honeypots.

He did say, which I think is an important contingency measure, that in the event they did detect a widespread trojan attack they have the possibility to simply shut down Internet voting and tell people to vote on paper on their regular voting day (Sunday).

The other thing I heard from multiple speakers is that Internet voting is not having substantial impact on turnout. What it is doing is making it more convenient... for people who would have already voted.

Labels: elections canada, internet voting, ivotecan

In case you're new to the blog, the Blogger navigation is not all that great, but if you're on the blog (rather than reading through RSS) you can use the search in the upper left, or browse the archives listed a ways down on the right hand side. The archives stretch back to February 2004; this is not a new blog.

Labels: meta

Liveblogging Internet Voting event at @papervote under hashtag #ivotecan

UPDATE: Have exceeded the status update limit for @papervote (!) - already just for the first session. Have moved to liveblogging on FriendFeed at http://friendfeed.com/electronic-voting-in-canada

Labels: elections canada, internet voting, ivotecan

I have looked at the materials provided for the Internet Voting event on January 26, 2010 and there are no participant biographies, so here is whatever I can find. I am listed academic credentials where available not because I think everyone needs to be a computer scientist trained in security to fully understand the issues, but because at least SOME of the people involved need to be computer & network security experts. I am also indicating corporate affiliations because no reasonable person can argue that a corporation providing Internet voting technology is going to do anything but present (through its spokespeople) every possible positive argument FOR Internet voting technology.

This is simply an analysis of the players from a computer security standpoint. Three main points are examined:
1. What is their academic background in computer security
2. What are their stated positions about Internet voting or, in the absence of statements, what is their corporation's position on Internet voting
3. If they are providing Internet voting technology, what information is publically available about the security analysis for these systems? It is incumbent for all voting technology providers to address all realistic threats to their systems in an open manner. There is no security through obscurity. A failure to do so shows an unseriousness about security.

I also want to make a key point: elections do not hinge on voter perceptions of security and convenience. Elections hinge on ACTUAL security. Asking members of the public if they think Internet voting is secure enough or if they are comfortable voting online or if it is convenient to vote online does not mean, in any way whatsoever, that the actual vote is ACTUALLY SECURE.

If citizens perceive a bank as (financially) safe but government regulation actually creates a situation where the bank fails (as has happened repeatedly in the United States), then it is clear the citizen perception was meaningless, what was important was the government failure to actually deliver an appropriate level of ACTUAL security.

And again, even if the system was actually secure, which is somewhere between highly unlikely and impossible, it still doesn't mean the system meets necessary requirements for a functioning democracy.

The Players:

* Michael Alvarez, California Institute of Technology (Caltech)
- Dr. Alvarez is a Professor of Political Science at Caltech and Co-Director of the Caltech/MIT Voting Technology Project. His BA, MA and PhD are in Political Science.
- info from CalTech site

The mission of the Voting Technology Project is, not surprisingly, around technology: "All of this research and policymaking activity seeks to develop better voting technologies, to improve election administration, and to deepen scientific research in these areas."

It is important to remember that US elections are much more complicated than Canadian elections, with many more candidates running for many more positions, in addition to (in many states), multiple complicated ballot initiatives (direct democracy issues to be voted upon).

* Kimberley Kitteringham, Town Clerk, Town of Markham
- reported in media as advocating Internet voting

"We definitely think our early voting turnout was a direct result of the increase participation of people in the online voting process because online voting, from our staff and post-election survey, engages the voter that has been typically apathetic or difficult to reach. It offers a convenient solution for them because they can do it from anywhere in the world," Ms Kitteringham said.

yorkregion.com - Internet gateway to election reforms in Vaughan - September 30, 2009

* Andrew Brouwer, Deputy Town Clerk, Town of Markham
- Bachelor of Environmental Studies , Urban and Regional Planning; Master of Public Administration , Local Government Program (from LinkedIn profile)

* Cathy Mellett, Acting Clerk/Manager, Halifax Regional Municipality
- reported in media as advocating Internet voting

"We had people vote from Sri Lanka, from Korea, from over 50 Canadian cities and 25 American states," said Cathy Mellett, e-voting project manager for the Halifax Regional Municipality.

"That's really been the objective from the very beginning, it's about getting voters accessible and participating in the overall election here in the HRM."

Mellett said there were no serious glitches in the system during the voting period.

CBC News - 10% of HRM voters cast e-ballots - October 7, 2008

* John McKinstry, Sales Manager, Dominion Voting Systems
- a company that has literally trademarked the word democracy: "Dominion Democracy™ is our comprehensive yet flexible voting suite, designed to uphold the principles and ideals of the electoral process."
- message is shaped entirely around turnout

Voter turnouts continue to fall even in the face of aggressive communications campaigns at all levels of government. One way to improve turnouts is to give the voters more voting choice; choices that reflect changing technologies. Chief among these alternative choices is remote voting. In taking voting to the voter, you remove one of the barriers to turnout.

Taking the voting booth to the voter
- according to Google search (site:www.dominionvoting.com security) entire site has exactly two mentions of security
1.

Everything before and after the ballot is hosted on computer servers. There may not even paper ballots, as is the case with Internet voting.

Dominion can host your elections on our secure servers to ensure the integrity of your election. We pride ourselves on the security and permanency of our server system.

Hosting your election
In summary: your election, hosted on a private company's servers. How do you know they are secure? Because they pride themselves on security.
2. There is a single instance of the word "security" in their document Democracy Suite EMS Edition 2007 (PDF)

To address the sensitivity of the election process from a security standpoint, the system provides role-based authentication and authorization, while all data transactions are protected for greater confidentiality and data integrity.

While it is good that the system uses authorisation to limit access, and "protection" for data transactions (whatever that means), this assumes that a) the authentication credentials have not been compromised b) the network transmission is a particularly vulnerable and interesting place to attack.

Just on the second point: HTTPS encyrption of web transactions is essentially like using an armored car to transport money between two completely unsecure endpoints, between a house with no locks on its doors and a bank vault with no lock or security system. Attackers target system weaknesses. Since the Democracy Suite uses Windows computers, isn't an attacker more likely to attack the servers themselves using known Windows vulnerabilities, than to try to intercept the data in transit? The document does not address these issues. You have to secure Internet voting systems END-TO-END, from keystroke on the desktop to calculated results on the datacentre servers. This is impossible to do with anything approaching a high level of security (a high level of risk mitigation) for an election threat model.

* Alexander Trechsel, European University Institute, Florence
- Professor of Political Science and the first full-time holder of the Swiss Chair in Federalism and Democracy at the European University Institute (EUI) in Florence, Italy.
- info from EUI site
- PhD in Political Science (from LinkedIn profile)

* Tarvi Martens, Development Director, Certification Centre, Estonia
- MSc IT, Tallinna Tehnikaülikool (from LinkedIn profile)
- Program Manager for Internet Voting at Estonian National Electoral Committee (currently)
- Development Director at SK (currently)
- SK is a company that provides "provision of different certificates to physical persons and organisations. Currently, the largest project handled by SK involves issuing authentication and digital signature certificates to Estonian ID cards." - http://www.sk.ee/pages.php/0203
That is, SK is a private company in the business of providing certification technology.

* Urs Gasser, Harvard University
- Dr. Urs Gasser is the Berkman Center for Internet & Society's Executive Director.
- graduate of the University of St. Gallen (S.J.D. 2001, J.D. 1997) and Harvard Law School (LL.M. 2003) (Note: these are all law degrees)
- info from Berkman Center site

* Tom Hawthorn, The Electoral Commission

Remote electronic voting via the internet and telephone was once the future of British elections. But trials held in the 2003 local elections found it made little difference to turn-out and raised concerns about security, privacy and transparency.

Tom Hawthorn, electoral modernisation manager for the Electoral Commission, says that remote e-voting is unlikely this decade, although he believes the idea may return. "In the short- to medium-term, there's things about the existing voting system - voting stations and postal ballots - which can be improved," he says.

guardian.co.uk - Voting searches for the x-factor - Nov 23, 2005
- 2006 presentation "What voters expect from a voting system" indicates high degree of concern about "my vote being private" and "my vote being safe from fraud and abuse" (in terms of percentages these are the top two concerns expressed)

* Adam Froman, President, Delvinia Interactive
- corporation that promotes Internet voting
- "Internet voting made a positive impact on the election results." from blurb on page for their report "Understanding the Digital Voter Experience"

* Dean Smith, President, Intelivote Systems Inc.
- corporation that provides Internet voting
- eight results for site search on "security" (site:www.intelivote.com security)

* Jason Gallagher, Open Source Software Developer
- I don't actually know who this is. The most likely match appears to be: "Lead Open Source Software Developer for McMaster University, Dept. of Family Medicine" (from PCHRI 2006 participants)

* Peter Wolf, International Institute for Democracy and Electoral Assistance (IDEA), Stockholm
- MSc., GraZ University of Technology (from IDEA site)

I welcome corrections and clarifications and I will update this posting if more information becomes available.

Labels: canada, elections canada, internet voting, ivotecan

If I can, I will be tweeting the Internet Voting Dialogue on January 26, 2010 from

http://twitter.com/papervote

No hashtag has been declared that I can find. I'm proposing #ivotecan

For electronic voting in Canada in general I have been using hashtag #evotecan

and there's an aggregator / discussion group on FriendFeed: Electronic Voting Canada.

Labels: elections canada, internet voting, twitter

Very worrying.

The Canada-Europe Transatlantic Dialogue (Strategic Knowledge Cluster)

Internet Voting: What Can Canada Learn?

This workshop brings together practitioners and scholars to explore issues involved in the development of Internet voting. Speakers include experts from various jurisdictions where Internet voting has been used, and prominent researchers who have studied models of Internet voting. Speakers will detail the development of Internet voting in Canada at the municipal level by examining the cases of Markham, Peterborough and Halifax, and in Europe nationally and sub-nationally by exploring the experiences of Estonia, Switzerland and the United Kingdom. The workshop will consider rationales for the implementation of Internet voting, various features and models of its application, advantages and disadvantages, public acceptance, effects on accessibility and voter turnout, and security issues. Experts will share advice regarding technical considerations such as cost, legal requirements, software and security.

NOTE: The registration deadline was JANUARY 21, 2010. Here's the (somewhat difficult to find) registration link: http://www.zoomerang.com/Survey/WEB229ZQUQUZMT

UPDATE 2010-01-25: I just realised I forgot to include a link to the event itself. Here is the Elections Canada link - Elections Canada: Media: Special Events and Conferences: Internet Voting and the Carleton link - Canada-Europe Transatlantic Dialogue (CETD) Events: Internet Voting. ENDUPDATE

Look at the issues they're examining:
* cost
* legal requirements
* software
* security

Let's revisit what I have called the "Democracy Requirements" for voting:
* preserving the secret ballot
* retaining the right to an uncoerced vote
* the integrity and accuracy of the vote count (all votes gathered and correctly counted)
* the simplicity of the system (can voters understand how the entire voting system works?)

Do you see the problem? They're talking about voting, but as usual, they're talking about it as if it were any other government "service" that is "delivered", rather than the single foundational element of our democratic society. This is what they always do, focus on the technology rather than the actual requirements for the integrity of the vote.

I can guarantee what the Internet voting presenters will discuss is three main things: convenience, turnout, and security. They will make a bunch of abstract claims about encryption and secure networks that will sound good but that, if you are an actual computer security expert, are actually nonsense.

You CANNOT, as in impossible:
* use technological security to ensure perfect end-to-end chain of custody for Internet voting
* construct a system in which the ballot is actually secret and anonymous

While it is true that there are theoretical computer constructs that can accomplish this, they run on theoretical computers over theoretical networks to theoretical servers. They do not run on Windows 7 computers on an ISP Internet connection to a bunch of servers in an actual datacentre.

Just think of the thousands, probably millions of phishing attempts every day, and the large number of these attempts that are successful. Just think of the recent security attacks on Google. Just think of the endless litany of lost passwords, lost user accounts, compromised commercial organisations. The home computer and the public Internet is one of the LEAST SECURE possible places I can imagine to hold an election.

Just off the top of my head I can list numerous possible compromises:
* if the password is sent in the physical mail, requiring at most some publically-discoverable extra piece of information (e.g. the user's birthdate), then I can attack the password distribution, in the same way that people steal credit cards and identities
* if it's not sent by mail, how do you solve the huge problem of secure key distribution to 30 million people? (secure key distribution is one of the single hardest problems in computer security)
* If your machine is already on a botnet, and millions of compromised machines already are, I have basically unlimited freedom to alter and compromise the election. I can watch your keystrokes and record who you voted for. I can watch your keystrokes and then, behind the scenes, CHANGE who you voted for. I can decide I don't like the parties running and use my botnet to attack the election servers (if you say "well, the datacentre can just block the attack" - yes, but the attackers are CITIZEN COMPUTERS)
* I can skip the end user and compromise the physical security of the data centre. And/or I can insert code into the servers that counts whatever votes for whatever candidates I want.

Even if the security is done well, there are insurmountable issues.
But even worse, the security is almost never done well. Because it is about cost, it goes often to the lowest bidder. Do you seriously want your entire election run by some private company that was the lowest bidder? Or consultants for Elections Canada that gave the best price? What "best price" means is, as was shown repeatedly for Diebold, the elections technology provider takes off-the-shelf technology (how could they not, and still provide the lowest cost), hacks together some amateurish backend with a somewhat pretty frontend, and then serves that up as a secure elections solution, leaving NOT ONLY all the security issues with e.g. running on Windows, but introducing ADDITIONAL security issues with code that is almost always woefully insecure, badly designed, and not available for review by outside computer security experts.

And even if, by some miracle, none of these things happens, ok we run an election.
It ends like the 1995 Quebec Referendum, 50.58% "No" to 49.42% "Yes" (note: elections are razor close ALL THE TIME).
So you say, all settled then, 50.58% "No".
And I say: PROVE the computers, the Internet, and the data centre were not compromised. PROVE the votes were not coerced. PROVE that it was actually Canadians voting, once, and not stolen accounts anywhere in the world voting multiple times.

You cannot prove this. Goodbye decisive elections. Hello endless battles.
Do you think this is abstract? There was ALREADY a fiasco with electronic voting machines in Quebec, which as terrible as they are, are at least in observable physical space. It was so bad, they had to investigate it, and:

On October 24, 2006 the Chief Electoral Officer of Quebec released a report (in French only) "Report on the Evaluation of New Methods of Voting" (Rapport d'évaluation des nouveaux mécanismes de votation). In a press release, three root causes of problems with electronic voting machines in the 2005 municipal elections were identified:

* an imprecise legislative and administrative framework
* absence of technical specifications, norms and standards
* poor management of voting systems (especially lack of security measures)

He recommended that the current moratorium on the use of these systems be maintained, and leaves it up to the provincial legislature to decide whether or not to use electronic voting in future.

Labels: canada, elections canada, internet voting

Very active discussion (over 400 comments at the time of this writing) on CBC News story Canadians support online voting: poll (with the usual Internet comment range between somewhat thoughtful and incoherent ranting)

In the poll, released exclusively to CBC: Power & Politics, Canadians were asked if Elections Canada offered a safe way of voting on the internet, how likely is it that they would use it.

Around 49 per cent of respondents said they were very likely and 15 per cent said they were somewhat likely.

Here's the comment I left:

Information on the Internet is just a click away. This issue has been well-studied by computer security experts. One part of it comes down to this magic phrase "a safe way of voting on the internet". That is probably impossible in the real world, outside of the confines of computer science theory. I know some will respond "online banking is already secure" but 1) it isn't & 2) banking has a completely, totally different set of threats and necessary security measure from voting

One good starting point is the Computer Technologists' statement on internet voting http://www.verifiedvoting.org/article.php?id=5867

"Election results must be verifiably accurate -- that is, auditable with a permanent, voter-verified record that is independent of hardware or software. Several serious, potentially insurmountable, technical challenges must be met if elections conducted by transmitting votes over the internet are to be verifiable. There are also many less technical questions about internet voting, including whether voters have equal access to internet technology and whether ballot secrecy can be adequately preserved."

I want to draw attention to that phrase: "potentially insurmountable". Given that paper voting works well now, is easy to understand, and is quick to count, would you rather stay with that, or try a system that computer experts say may be impossible to create? One which even if it solved the technical problems, would still have no solution for the secrecy of your ballot, a sacred right of democracy. Voting integrity is not theoretical. We know that votes were compromised in Iran and Afghanistan. Now imagine instead of paper votes and people in the streets, it had all taken place electronically? You would never know if the results reflected the votes cast.

Labels: canada, electronic voting, internet voting

The Ministry of Local Government and Regional Development is now working on a plan to test the possibility for allowing Norwegians to cast their vote from the home PC at the municipal elections in 2011.

The Minister of Local Government, Magnhild Meltveit Kleppa, is eager to introduce reforms which will increase the interest for elections and for voter participation.

The Norway Post - Electronic home voting next - July 7, 2009

Labels: electronic voting, internet voting, norway

The Toronto Star (CP) reports

Allowing Canadians to vote electronically may be the remedy for the ever-dwindling percentage of voters who bother to exercise their democratic rights, Elections Canada suggests.

In a report released late Friday, the independent electoral watchdog says it will push this fall for legislative changes that would allow it to implement online registration of voters.

And it wants parliamentary approval to conduct an electronic voting test-run in a byelection by 2013.

Elections Canada backs online voting - June 26, 2009

(It's not actually clear to me if they're talking about electronic voting machines, or voting online. Both approaches have huge flaws.)

As readers of this blog will already know, I favour the traditional in-person enumeration, and voting on paper in public. These are simple processes that are critical to the integrity of our democracy.

I've already written a critique of the idea that electronic voting will help with voter turnout - citizen engagement and e-voting. I have also outlined many, many times the security risks associated with electronic voting.

Electronic voting is a very bad idea based on incorrect assumptions.

And if you don't think having total confidence in the results of an election is important, check out the current situation in Iran. Elections matter.

This blog started in 2004 before the days of hashtags and such, but I'm suggesting hashtag #evotecan and tag evotecan for this issue.

There are also a few searches that should pull up references to this particular article:

Twitter - Elections Canada backs online voting
Twitter - bit.ly link to Toronto Star article
Google News - articles related to "elections canada" electronic

Labels: canada, elections canada, electronic voting, evotecan

I've removed the QuickTopic discussion space (which only ever got used by spammers anyway) and made a FriendFeed room to discuss this issue instead

http://friendfeed.com/electronic-voting-in-canada

Labels: meta

For some reason the linkroll bookmarks I'm displaying on this site are full of spam - I am investigating.

In the meantime if you want to see the actual, non-spammy e-voting links, they're at

http://www.linkroll.com/index.php?action=links&user=papervotecanada

UPDATE: Linkroll is displaying spam links when you pull their RSS feed or use their JavaScript widget. Goodbye Linkroll.

Labels: meta

This 1957 video promoting mechanical voting machines is beyond awesome.

I tried to embed it, but the embed code was too complex, you can see it at

http://www.archive.org/details/Behindth1957

For those of us not experienced with US elections, it's also a reminder of their incredible complexity.
My favorite part is when they talk about how the machine cannot make an error, and is protected by the incredible security of... a key.

Another gem from the Prelinger Archives, the video was on the front page of Archive.org today.

Labels: video, voting machines

Minnesota uses optical scan systems and a small amount of hand counting.

Office of the Minnesota Secretary of State: Voting Systems map (PDF)

When a recount is necessary:

* You can see the ballots.
* You can determine for yourself whether they are being unfairly accepted or rejected, and how they should be counted.
* You can determine, therefore, whether you think the results fairly reflect the will of the people.

This is important because the current Senator-Elect, Al Franken, is certified as having won by 225 votes. Out of over 2.8 million votes cast in the 2008 US Senate election in Minnesota.

Voting systems matter because elections can be very close,
which means they will be challenged,
which means you must have VISIBLE EVIDENCE of the votes that can be counted by anyone,
so that the public can determine if the results are fair.

CNN: Minnesota canvassing board certifies Franken win - January 5, 2008

Labels: recount, usa

Before you work on the solution, you must first decide upon the problem, about what is important to you.

For many people concerned about democracy and about electronic voting, the problems we consider are:

* preserving the secret ballot
* retaining the right to an uncoerced vote
* the integrity and accuracy of the vote count (all votes gathered and correctly counted)
* the simplicity of the system (can voters understand how the entire voting system works?)

I call the above "The Democracy Requirements".

You will very rarely hear advocates of electronic and particularly Internet voting talking about any of the above concerns. What they talk about is:

* efficiency
* modernity
* convenience and customer service
* voter turnout (# of votes cast, % of eligible voters who cast votes)

You will notice this is a completely different set of problems.

I call the above "The Voter Engagement Requirements".

So in a sense, we're talking at cross-purposes.
The computer security experts say "electronic voting can never be secure, and you can never know that your vote was counted properly" and they say "we think security is a non-issue because (other technology with unrelated requirements) is 'secure', and e-voting is modern and convenient and young people will use it".

The Democracy Argument Against Electronic Voting (and some paper voting too)

It should be mentioned, the first set of issues applies to many, many other voting options. As soon as you compromise chain-of-custody and the private-in-public vote, you risk all except simplicity.

For example: mail-in voting.
1. If I can identify the sender (by watching the mail they send, by identifying their handwriting, by some unique identifier on their ballot), then no more secret ballot.
2. There is a huge chain-of-custody issue - anyone in the mail stream can intercept and destroy, replace or alter your ballot
3. Your enemies can stand beside you and force you to vote the way they want

These are not abstract issues and rights. People are injured and even die every year in countries where voting is taking your life into your own hands.

Even just advance voting introduces chain-of-custody issues.
(Battlestar Galactica showed a simple fictional scenario for compromising a paper-based election, by having collusion in the chain-of-custody so that an original ballot box was changed with one stuffed with votes for a particular candidate.)

So let me make it very clear: voting on one day privately, in public, on paper, with a hand-count of ballot boxes that never leave the polling station, with scrutineers from all parties watching the count - this is the most elegant solution I can think of to the key issues of secrecy, non-coercion, integrity, accuracy and simplicity.

A machine-mediated vote, or a machine-mediated count CANNOT do this, because you CANNOT (as in, technologically impossible) know what program the computer is actually running. You cannot meet these requirements with an electronic system. I know this is a world where there are few absolutes, but trust me, any computer security expert can tell you this.

The Voter Engagement Argument for Some (non-voting) Use of Electronic Systems

Ok, assuming you want to engage your citizens in some meaningful way, and not in some Canadian Idol illusion-of-convenience superficial way, then I thought it came out quite clearly in the TVO discussion that you need:

* leadership
* engaging issues
* a real connection with voters, particularly young voters

Do you see any mention of technology in the above three items?
There is no website that is going to make you a leader, there is no social network that is going to make your issues engaging, there is no blog posting that can substitute for actually listening to your constituents. IF you already have addressed those issues, then you can reach your voters using...

* radio
* television
* and maybe you've heard of this Internet thing?

Technology is not a solution. Technology is one channel to communicate your message. You have to have an interesting message, first.

If you want more people to vote, give them something they care about to vote for, convince them that their vote matters, and connect with them before and AFTER the election, to demonstrate that you value them for their opinions, not for their increment to your vote count.

If you do that, they will wait in lines for hours. Voting technology doesn't matter. It doesn't solve a problem that Canada has.

Labels: citizen engagement, electronic voting, internet voting, politics

The classic Canadian example I usually use is the last Referendum on Quebec independence where it was 50.58% "No" to 49.42% "Yes".

There is another great example going on right now in the Minnesota senate race.
According to Daily Kos, "Today's latest results show [Democratic challenger Al Franken] is now trailing Republican incumbent Norm Coleman by 204 votes."

Wikipedia currently shows the tally at

Popular vote Coleman:1,211,562 Franken:1,211,356 Barkley:437,389

If you want that in percentages that's Coleman 41.988%, Franken 41.981%

That means if your voting machines have even a .01% error rate, they've already thrown the election. And the high-tech threat to Minnesota's optical mark-sense scanners? Dust.

Undecided Minnesota Senate Race Used Machines that Flunked Accuracy Tests - Wired - November 5, 2008

In an earlier posting, Wired writes

The problems occurred during logic and accuracy tests in the run-up to this year's general election, Oakland County Clerk Ruth Johnson disclosed in a letter submitted October 24 (.pdf) to the federal Election Assistance Commission (EAC). The machines at issue are ES&S M-100 optical-scan machines, which read and tally election results from paper ballots.

Johnson worried that such problems -- linked tentatively to paper dust build-up in the machines -- could affect the integrity of the general election this week.

ES&S Voting Machines in Michigan Flunk Tests, Don't Tally Votes Consistently - Wired - November 3, 2008

Say what you will about human failure modes, but dust usually isn't one of them.

Given that
1. Elections are often surprisingly close
2. Integrity of the count is paramount (your vote must be correctly counted)
3. Machines have many failure modes
4. A paper count by humans can be open and easily verified and rechecked

Then the best option to ensure confidence in election results is: hand-counted paper ballots.

(I don't know whether the Minnesota recount will require hand-counts.)

Labels: election, electronic voting, optical scan, usa

If you want to find stuff from the last four years of this blog, the search button in the upper left is probably the best bet, e.g.

http://papervotecanada.blogspot.com/search?q=cbc
http://papervotecanada.blogspot.com/search?q=toronto

Labels: meta

The Debate: E-Voting: An Idea Whose Time Has Come?

Technology and the vote: Why has there been a stubbornly slow adoption of electronic voting?

The Agenda - November 10, 2008

Note: This episode has not yet aired, it will be on television tonight at 8 PM and again at (I think) 11 PM. The video is usually up online a few days after the show airs. I will update this posting with new information when available.

UPDATE: I have created a discussion thread on the "Your Agenda" discussion forum: e-voting. You'll have to create an account there if you want to add your thoughts before or after the show. ENDUPDATE

UPDATE 9 PM: The show has just ended. I thought the debate was good. I also thought it was positive that the debate focused on a much more realistic assessment of evoting in terms of voter engagement and turnout.

If voting was about convenience, you wouldn't have seen people standing in line for hours in the United States. Voting is about citizen engagement. If the citizens find something interesting to engage with, technology can be an enabler. But you don't need online voting for that, you need an online presence for every day other than the election, much as we're seeing already with Barack Obama, who reached out through BarackObama.com (and into many other Internet channels) and is now connecting with Americans through his transition site change.gov

To me this technology argument "young people use technology, so voting should use technology" is ridiculous. Young people aren't stupid. Putting up a Facebook page is not the answer, putting up content that they care about is the answer.

Both of the letters from the MPPs were very well informed.

As well Farhad Manjoo and Darin Barney were both well-informed about the technical issues, and it was great to see Don Lenihan being very clear that it is for the computer security experts to determine whether voting online is secure, not the politicians or corporations.

Marie Bountrogianni was obviously not well-informed about the technical issues, but unfortunately that didn't seem to stop her making incorrect assertions (if we can bank online, why not vote online? um, because they have COMPLETELY DIFFERENT SECURITY REQUIREMENTS).

John Hollins brings a corporate perspective to voting, talking about "serving customers", an approach which to be quite frank, I hate. Voters are not consumers being provided a service, they are citizens engaged in one of the few public activities of our democracy. Voting is not the same as paying a parking fine. (Longtime readers of this blog will know of Mr. Hollins and his boosterism for technology solutions.) In Canada we have very simple elections. You don't need a $3000 touchscreen voting machine with VVPAT paper trail, to record a single vote, so that when there's a problem, you can count the votes on the paper trail. JUST VOTE ON PAPER FIRST.

I will write a follow-up post on citizen engagement vs. e-voting.

Overall I thought it was a good discussion which in the end turned far more on the citizen engagement aspect.

After posting on the Agenda forum I was fortunate to get an email from Sandra Gionas and to have a chance to talk with her on the phone, and she has kindly included substantial quotes from me in her Inside Agenda blog posting Control, Alt, Delete and Vote.
ENDUPDATE

I love the loaded language people use for paper voting: "quaint", "old-fashioned"

or for the lack of technology in Canada's federal elections: "stubbornly slow adoption".

stubbornly?

This is what I had to say the last time someone argued that you couldn't stop the wheels of e-voting progress:

Ah yes. The real world. The modern world. The practical, down-to-earth, realistic, Common Sense Revolution world. Paper is obsolete, so old-fashioned, like the Geneva Convention and other inconveniences.

Bullshit.

corporate voting bullshit - Paper Vote Canada - November 24, 2006

If paper voting is so obsolete, why is it that, overwhelmingly, the most articulate and forceful campaigners against electronic voting are computer scientists? Are computer scientists generally considered stubbornly slow adopters? Could it be that the actual experts in computer technology know that from the standpoints of security, cost, simplicity and core principles of democracy, electronic voting is just a very bad idea?

You don't believe me?

* Computer Scientists question electronic voting - March 3, 2003
* Computer scientists slam e-voting machines - CNet News - September 27, 2004
* Following issuance of an analysis by four computer scientists who were members of the SERVE Security Peer Review Group, the Pentagon decided to scrap plans for the use of this technology to cast ballots in the 2004 Presidential election.
* Computer scientists weigh in on e-voting - July 20, 2006
* UC Computer Scientists Release Video on How to Hack a Sequoia Touch-Screen Voting Machine - September 9, 2008
* E-Voting Doesn’t Get Computer Scientist’s Vote - October 10, 2008

I could go on listing reports and articles for many pages, but I hope I've made my point.

Not having electronic voting is not stubborn resistance to progress, it's rational opposition to expensive, unnecessary, insecure technology that will undermine the foundations of our democracy.

Labels: canada, electronic voting, television

Voting Machines Elect One Of Their Own As President



All hail the DRE 700.

Labels: electronic voting, humour, video

500th post.



What's interesting (and sad) is that Oprah blames herself for her voting problems.

First of all, if the machine doesn't record your vote, that's because the machine is badly designed. Second of all, it means you shouldn't be using machines.

It doesn't seem to occur to Oprah that the fault could lie with the machine.

Labels: election, electronic voting, usa

shape-shifting electronic votes are more than fantasy, according to reports from states including West Virginia, Missouri, Nevada, Georgia and Colorado. Whether by accident or design, touch-screen voting machines have "flipped" votes from a caster's chosen candidate to one he opposes.

Unlike the old days when campaigners hung around street corners haranguing voters with handouts and pints of beer, the electronic era presents a sophisticated challenge to democracy.

Now, says Crispin Miller, author of Loser Take All: Election Fraud and Subversion of Democracy 2000-2008, changes can occur seamlessly, without a breath of suspicion. Electronic glitches are only one of a range of mishaps, mistakes and dirty tricks that may decide outcome on Nov. 4.

Complaints about the electronic machines have mounted, along with calls for a return to paper ballots, like Canada's.

"More traditional systems are better," says Jeremy Epstein, a technological security expert and member of two Virginia legislative commissions that studied voting machines. "Paper-based and hand-counted ballots are fast, accurate and cheap. Studies show that machines are insecure and vulnerable to attack."

Fraud fears grow as [US] voters throng polls - The Toronto Star - October 21, 2008

(The article title is not great, something like "voting machine errors and voting surpression plague election" might have been closer to the mark.)

Labels: election, electronic voting, usa

Election Data Services provides the US November 2008 voting equipment composition (I'm tempted to say "breakdown").

I should mention that they use some confusing terminology.
To me electronic voting covers optical scan, DRE and Internet voting.
They consider electronic voting to cover only DRE (usually touchscreen) machines.

An optical mark-sense reader is an electronic device just like a touchscreen machine. It uses optical sensors to read a dot on paper, rather than to record a fingerprint. It is subject to most of the kinds of attacks that a touchscreen suffers from: you can compromise the software/firmware, there may be errors in the software/firmware, the optical sensors may be mis-aligned or malfunctioning, the paper path may jam, the power can fail, etc.

As well, if you record the order in which voters submit their ballots for scanning, you can reverse this to determine exactly who voted for whom, by going down the stack of ballots - once again the secret ballot is compromised.

It is true that IF AN ERROR IS DETECTED or IF A RECOUNT IS MANDATED, you can then hand-count the ballots (albeit going slightly crosseyed staring at tiny circles for hours).

Of course if you were a clever hacker, you would just program the scanner to distort the election by a margin smaller than that which would trigger any investigation. A similarly small error would also not be detected.

NOTE: some kind of rendering bug puts this table far down on the page.

Type	% Registered Voters
Punch Cards	0.10
Lever Machines	6.72
Hand-Counted Paper Ballots	0.17
Optically-Scanned Paper Ballots	56.17
Electronic (DRE / Touchscreen) Systems	32.63
Mixed	4.22

from 2008 Voting Equipment Study (PDF)

According to votingmachines.procon.org the numbers previously were

2004: 1% paper, 35% optical scan, 29.5% DRE
2000: 1.5% paper, 29.5% optical scan, 12.5% DRE

Labels: election, electronic voting, usa

The elections staff had collected electronic copies of the votes on memory cards and taken them to the main office, where dozens of workers inside a secure, glass-encased room fed them into the “GEMS server,” a gleaming silver Dell desktop computer that tallies the votes.

Then at 10 p.m., the server suddenly froze up and stopped counting votes. Cuyahoga County technicians clustered around the computer, debating what to do. A young, business-suited employee from Diebold — the company that makes the voting machines used in Cuyahoga — peered into the screen and pecked at the keyboard. No one could figure out what was wrong. So, like anyone faced with a misbehaving computer, they simply turned it off and on again. Voilà: It started working — until an hour later, when it crashed a second time.

...

so many printers had jammed that 20 percent of the machines involved in the recounted races lacked paper copies of some of the votes. They weren’t lost, technically speaking; Platten could hit “print” and a machine would generate a replacement copy. But she had no way of proving that these replacements were, indeed, what the voters had voted. She could only hope the machines had worked correctly.

...

In the last three election cycles, touch-screen machines have become one of the most mysterious and divisive elements in modern electoral politics. Introduced after the 2000 hanging-chad debacle, the machines were originally intended to add clarity to election results. But in hundreds of instances, the result has been precisely the opposite: they fail unpredictably, and in extremely strange ways; voters report that their choices “flip” from one candidate to another before their eyes; machines crash or begin to count backward; votes simply vanish.

An extensive New York Times Magazine report from January 6, 2008: Can You Count on Voting Machines?

And these are just the obvious, visible ways in which machines can fail.
There are many other silent ways in which the machines could fail internally that you would never detect.

You can move to optical mark-sense, but these are still machines:
* the poll workers need to get trained on them
* the paper can jam
* the scanners can fail
* the entire machine can fail

and on and on and on.

In case you think those are unlikely scenarios, they are already happening in advance voting in the United States.

The Jacksonville Times-Union reported long lines in northeast Florida, with at least two counties reporting problems with voting machines. In Duval County, 7 of 15 optical scanning machines used to count ballots had to be replaced, the newspaper reported.

Early voting suggests 2008 may see record turnout, expert says - CNN - October 21, 2008

Labels: election, electronic voting, usa

Note: DRE stands for Direct-Record Electronic, most commonly in the US these are "touch screen voting machines".

The main issue, according to a 2005 overview of electronic voting by the Institute of Governmental Studies at the University of California-Berkeley, is that if the record of votes cast exists only in digital form in a touch-screen system, there is no independent way to confirm the votes were recorded accurately and thus no way to conduct a reliable recount.

Overall, in the nation’s 170,000 polling places, there has been a shift from predominantly using manual systems (lever machines, punch cards, paper ballots) to computer-based systems (optical scan and DREs) in federal elections.

But according to news reports, as a result of the controversy over DRE machines, in the 2008 election many states might use optical scan paper ballots that require voters to fill in ovals with a pen.

Debate Continues over Security, Reliability of Voting Technology - America.gov - 27 August 2008

As I've said before, optical scan is the least-worst electronic technology, because you can at least do a manual recount of the paper ballots,

but you're still better off just counting the paper ballots by hand in the first place.

Labels: electronic voting

The Coast has an excellent and extensive article on issues with electronic voting, particularly as related to the Halifax Regional Municipality.

It's no wonder that Americans are increasingly distrustful of the voting process. Voting experts challenge every aspect of elections, including the registration process, the procedures at the polling place itself, the use of electronic machines and the counting and recounting of votes.

Contrast the sour American experience to Canadian elections: In this country, voters show up at the poll and are handed a paper ballot and a pencil. They check the box next to their preferred candidate and put the ballot in a box. After the polls close, an election official opens the box, and the official and poll observers from the political parties examine each ballot and agree on how the vote was cast. A final tally takes about half an hour.

The Canadian system is clean, unambiguous and fair.

But the Halifax Regional Municipality doesn't like the Canadian system, and is determined to change it.

iVote: Can electronic voting save democracy? - The Coast - September 18, 2008

Labels: canada, halifax, internet voting

There is this charming myth that machines are "reliable" and "correct" whereas people are error-prone. (The above post title is me being sarcastic.)

This will be shown to be totally false when, on election day, a percentage of the millions of voting machines fail in the following ways:

* mechanical failure
* touch screen misaligned
* touch screen doesn't work at all
* display screen fails (black screen)
* power fails
* printer fails
* card reader fails
* software error

If they were using Internet voting, the ways in which things could fail would be even more spectacular:

* computer monitor fails
* computer hard drive fails
* mouse not working
* keyboard error
* power fails
* network card fails
* router fails
* connection to ISP fails
* network attack or denial of service
* ISP hardware or software fails
* network transmission error
* voting software error
* central voting servers fail
* air conditioning in central voting server room fails
* power fails in central voting server room
* network fails in central voting server room
* server room catches fire (this happens more often than you might think)

Note that all of the above is just a sample of what WILL happen (the odds of a hard drive failing eventually are 100%) and none of the above require any malicious activity, just normal failures of systems. When you add in malicious activity, the scenarios get much, much worse.

Labels: electronic voting

"People make mistakes more than machines," said Jackson County Clerk Jeff Waybright.

Dear Jeff Waybright,

You are way wrong. You are confusing consistency with correctness. If a machine is programmed to do something (programmed, by a person) it will do that thing, consistently. If what it was programmed to do is WRONG, it will do it CONSISTENTLY WRONG.

Yours Truly,

Someone who actually knows about machines

Above quote from More W.Va. voters say machines are switching votes in the Charleston Gazette, October 18, 2008. The story reports that machines are not correctly displaying votes (presumably because of touch screen misalignment, or other malfunction).

Labels: election, electronic voting

One way to illustrate the simplicity of paper voting is to talk about how machines can fail, so...

On November 4, 2008 voting systems will fail somewhere in the United States in one or more jurisdictions in the country. Unfortunately, we don't know where. For this reason, it is imperative that every state prepare for system failures. We urge each state to take steps necessary to insure that inevitable voting machine problems do not undermine either the individual right to vote, or our ability to accurately count each vote cast.

Is America Ready to Vote? State Preparations for Voting System Problems in 2008

Labels: electronic voting, usa

It's election day in Canada.

Please vote.

Remember there are new identification rules, roughly you need either a driver's license (or health card with photo and address in Ontario) or two pieces of ID, one with name & photo and one with address.

See Voter Identification at the Polls for more information.

In general, see

http://www.elections.ca/

for any information you need about voting today.

If you're new to the process, this very simple guide will walk you through (with the exception of the new identification rules).

Labels: canada, election

I had the good fortune to be interviewed for The Toronto Star by Leslie Scrivener--which incidentally is a great name for a journalist. She quoted me quite a bit, I think the article came out well, I'm grateful to her for the opportunity.

"It's a very human system. It works," says Akerman, 40, an Ottawa technology planner and security expert. "You mark your ballot in private, but it's in a public setting. And it balances interests. You have scrutineers from different parties watching each other. It's hands on, easy to understand."

The ballot question: Paper or not? - The Toronto Star - October 11, 2008 - by Leslie Scrivener

Previously:
The Star had a very good article about the electronic voting issue in 2004, but unfortunately it doesn't seem to be online anymore, I wrote about it at

July 13, 2004 Is the future in line or online? - Toronto Star - published July 12, 2004

Labels: canada, electronic voting, newspaper

Bump in stats from being on CBC Spark on October 8.



That reminds me I should put up some info about voting places and election results on the 13th, since I usually get a pile of hits on election day.

UPDATE: In case you're wondering, most of the hits are people searching for general voting/election information (where to vote, how to vote), not about the specific issue of electronic voting in Canada.

Labels: meta

I recognize that most people don't spend much time thinking about computer security. To the extent that they do, they either assume that there's some "security stuff" that is protecting their computer and transactions, or that such stuff could be created.

Here's the problem: lots of people have tried to create secure systems for a long time, and have failed miserably.

I don't have to get technical at all, I can just talk in the consumer space.

1. For years, games companies put elaborate efforts and skilled people into trying to protect their games from piracy. They had special codes, special floppy disks with holes punched into the magnetic media or deliberate errors, physical dongles, you name it.

And yet their games were always pirated. Eventually most of them just gave up on protecting their games.

2. For years, continuing today, media companies like the record and movie industry have attempted to protect their content from piracy with Digital Rights Management (DRM). They have sophisticated hardware, elaborate codes, highly skilled people and a large monetary incentive. And they have failed.

iTunes music DRM? There's a hack.
DVD DRM? There's a hack.

3. Apple has an incentive to protect its iPhone from being used on any network, as it has an exclusive deal with AT&T. Their phone is "locked".

iPhone locking? There's a hack

THERE IS ALWAYS A HACK.

Because any piece of software or hardware you can create, I can put a layer in front of. Your software talks to a hardware dongle? I write a layer of software that pretends to be the hardware.

And we're not talking big power or political incentives here, we're talking smart kids (mostly) who wanted to play some games, listen to some music, or watch some movies.

So if they couldn't even protect SONGS, do you seriously think they're going to be able to protect AN ENTIRE ELECTION?

There is no unbreakable "security stuff" to do that, it simply doesn't exist.
And even if it did, the incredible complexity of it would mean that the entire election would boil down to "trust the machine and the computer guys".

Wouldn't you rather trust a piece of paper you can see, a counting system so simple elementary school students could perform it, and volunteers and scrutineers from your own neighbourhood that you can watch?

Labels: security

There were e-voters in more than 30 countries, with the oldest born in 1913, they said.

"We had people vote from Sri Lanka, from Korea, from over 50 Canadian cities and 25 American states," said Cathy Mellett, e-voting project manager for the Halifax Regional Municipality.

10% of HRM voters cast e-ballots (via Carol) and 28,709 cast municipal e-votes (via sparkcbc Twitter)

Hmm, so let's see. You assign a PIN number to each citizen, and mail the PIN to their address, and the verification info is their birth year, AND you're tracking their voting location, which can only be done by tracking their IP address, which semi-uniquely identifies their computer.

So you know who they are multiple times over, through the combination of PIN, birth year, mailing address, and IP address.

So number one, goodbye secret ballot.

Are you seriously going to take it on trust that they won't be tempted to check to find out who voted for whom? That no one will ever be tempted to check this?

Number two, in a world full of good people and lots and lots of bad people, from Nigerian scammers to Russian mafia, letting people vote in a Halifax election from any computer anywhere in the world is a feature? Are you kidding me?

Labels: halifax, hrm, internet voting

Dan talks to Ilona Dougherty, Richard Akerman, and Grace Lake about voting online

Episode 48 - October 8 & 11, 2008 - CBC Radio - Spark - posted October 07, 2008

The audio is available as an MP3 download, or you can subscribe to the podcast, or get it through iTunes.

Just a couple quotes from me were used, but I think I got my points across.

Labels: audio, canada, cbc radio, cbc radio spark, electronic voting

Just trying to sort out my terminology:

Internet voting = web voting = Using the Internet to record your vote on some central election servers.

Electronic voting machine (or I sometimes just say "voting machine") = any of a number of different technologies for voting, primarily about touch-screen voting machines, but I would extend it to mark-sense optical scanners as well, in its broadest sense.

Electronic voting encompasses both using electronic voting machines, and Internet voting (which you can think of as using an electronic voting machine, at a distance, over the net).

This is fairly consistent with the use at

http://en.wikipedia.org/wiki/Electronic_voting

Labels: electronic voting

I'm trying to gather my rather rambling thoughts on this topic.
This is what I just said in an email to a newspaper interviewer:

Ultimately it comes down to a choice between a very simple system in the physical world where we use a combination of privacy, being in public, and the competing interests of strangers (the scrutineers and election workers) to provide results based on physical evidence that everyone can agree upon,

or an incredibly complex system involving your computer, many computer networks, and computer servers, all running software created by strangers, with all the possibilities this raises for either malicious attacks on the election, or normal computer errors, a situation where there simply is no evidence to rely upon other than what the computer says, and the computer can lie.

In other words, electronic voting is no different than telling a stranger how you want to vote ("I want to vote for the blue party"), and then having to trust that they actually voted the way you asked, despite the fact you know that they can lie.

Can you imagine if we had used Internet voting for the last Quebec referendum? We would still be arguing about the results.

In short, although I love technology, I know the difference between appropriate technology and unnecessary technology.

Paper and pen is the appropriate technology for voting.

Labels: canada, electronic voting

Nick Van der Graaf wrote me with a pointer to his very clear and thoughtful posting about voting machines.

If it ain't broke don't fix it - May 13, 2008

When officials come away from observing an electronic vote-counting system used in Monday's New Brunswick municipal election, I hope the lesson they take with them is this: Citizens do not need a machine to vote, nor to count those votes. And I hope for the health of our democracy that they will see that the application of technology to replace humans in this area is wholly inappropriate.

Labels: canada, electronic voting, new brunswick

My friend Jessie sent me a link to this awesome clip of Homer trying to vote for Obama

Labels: electronic voting, simpsons, usa, video, voting machines

I just completed a radio interview for CBC Radio Spark, about Internet voting specifically. I think it will air next week - and I think they will only use short excerpts from the interview, but I have asked for the entire thing to be posted online.

UPDATE: I should check my stats for this blog more often - I see that there is an item specifically about this in the Spark blog

Would you vote over the internet in a Canadian federal election? - Posted by Dan Misener on October 01 [2008]

There are some good comments on the blog posting.

ENDUPDATE

I think I conveyed my three major points:
* a key element of the voting system is trust
* a voting machine (or Internet voting) is no different than telling your vote to a stranger
* a computer can lie

Or in other words, electronic voting means that in a system based on trust, you're giving your vote to a stranger who can lie.

There is one thing I regret saying, I said something like "not everyone is a computer scientist or a mathematician, the average Canadian can't comprehend web voting" - my actual intent was something more like "the average Canadian doesn't have the technical training to understand exactly how web voting works and all the associated risks".

I did then wrap up with what I think was a strong point: Internet/web/electronic voting introduces uncertainty and complexity into what should be the most certain and least complex process in our democracy.

If you look at the specific example of the Referendum, which was so incredibly close - imagine what would have happened if the next day people had started saying "I think my computer didn't record my vote correctly" - we'd never be able to resolve it - we'd still be arguing about it.

Speech! Speech!

If I was giving this as a prepared presentation (which is more my area of communication strength), rather than as an interview, it would go something like...

Voting is about policies, but also about trust. In yesterday's leaders debate, we saw five people around a table that most of us will never meet, five strangers. We have to determine, in part, whether we trust them. Similarly most of us only talk to our MPs for a few minutes when they show up at the door before the election; they are also strangers.

It's quite a remarkable transfer of trust, from millions of people to a few hundred, transferring the authority to declare war and to spend billions of taxpayer dollars.

The process to transfer this trust is voting, which also involves trusting strangers - you probably don't know the poll workers or the scrutineers.

But the good news is that in the physical world, we are really good at reasoning about how to manage the risks of trusting strangers. If a stranger asks for directions on the street, you will probably help them, but if they ask for a $100 loan and your name and address and promise to return the money to you later, you probably won't help them.

Our existing paper-based, human-counted system is based on our understanding of the balancing of motivations and self-interest, along with a clear physical evidence chain. You mark the ballot yourself in secret, you drop it in the box in front of everyone, and you trust that the competing interests of the scrutineers from the different parties will ensure that the open counting of the paper ballots is done properly.

If there's an issue, you can just count the ballots again.

And you know that if something does go wrong, all of those people live in your community and have to deal with the consequences.

You literally could have an elementary school class run a classic Canadian Federal election scenario and they could identify all of the possible risks, because reasoning about physical evidence and human behavior is one of our strengths.

Now imagine instead that when you walk into the polling station, they say to you "for improved efficiency, just tell this stranger how you want to vote, and he will go and handle the rest". So you tell him "I want to vote for the red party" and he goes and marks a ballot in secret and drops it in the ballot box. Now you have to trust that stranger totally. You can ask him, "did you vote for red?" and he can assure you over and over, but you can never actually know, for certain, how he voted on your behalf.

In effect, his report of your vote is now testimony, or even hearsay.
We understand this quite well in our criminal justice system. Physical evidence (e.g. a marked ballot that you can see) has the highest degree of credibility. Testimony much less so, because humans can lie. Hearsay least of all, because humans can really lie a lot about other people.

You go from e.g. seeing an X in a circle on a piece of paper, to having someone say "I definitely marked an X by the red candidate", to someone saying "I think I thought I saw someone mark an X by the red candidate".

So now we just need to replace one step and I think you'll see the problem: replace "tell your vote to a stranger" to "enter a your vote on a computer".

How is that like telling a stranger? Well when you think about it, computers don't program themselves. Every computer program, and even every computer chip, was designed by someone - by a stranger. Actually by many many strangers. The computer is not some cold objective logic machine, incapable of error, the computer is the embodiment of the human intentions that went into its code and hardware - the computer is a human, in silico.

That means all of the things a person can do, a computer might do - a computer might fail, because of an error, or a computer might behave maliciously, because of malicious intent.

That is to say, the computer can lie. We often don't think about this, because for commercial reasons most people write code intended to behave well and to present information correctly. But there's no reason your code can't say

get input
if input = "vote blue" then
record +1 blue vote
display "voted for blue"
else if input = "vote red" then
record +1 blue vote
display "voted for red"
end

THE COMPUTER CAN LIE.

You can see very real examples of this in sophisticated virus social engineering - the virus presents a window that says "you need to update your antivirus software immediately [ok] [cancel]" and when you press [ok], it actually fills you computer with viruses.

Beyond that, even without malicious intent, the computer can fail in a million bazillion ways - bugs in the code, hardware error, network error, power failure, overloaded by too much network traffic (as happened with Do Not Call List), and on and on. Whereas a paper voting system can continue without power, and short of burning the paper or killing the people, it has limited ways that it can fail.

And this is an important point: people already attack physical voting systems, which is very high risk. (See e.g. Zimbabwe.) The reason they take this risk is the rewards are enormous - wealth beyond any other criminal scheme, power, privilege...

Consider that spammers have already constructed networks of hijacked machines ("botnets") - millions of machines in some cases - just to take advantage of the few thousand or at most few million dollars they can earn by ripping people off. Now just think - if there's Internet voting they can use the exact same technology to control who gets access to BILLIONS OF DOLLARS.

So think about it - you would never vote by telling a stranger your intent and letting them vote for you - why would you vote by telling a strange machine your intent and letting it vote for you?

Labels: canada, cbc radio, cbc radio spark, internet voting, radio

I've written here before about the false idea that if we make voting "convenient" by enabling online voting, it will increase turnout.

If you want to increase turnout, have a campaign to increase turnout.
Have ballot boxes at workplaces, or make the entire day a holiday.
There are lots and lots of ways to increase turnout.

Supporting Internet voting is asking for catastrophe in many different ways:
* it turns the solemn act of voting, one of the few acts of citizenship, into something no different than adding an item to your Amazon.ca shopping cart
* it means that you're using inherently unsafe, unsecured machines to provide the infrastructure for the most critical process of our democracy
* it means that someone can stand with a gun to my head and force me to vote the way they want while they watch (which, incidentally, also applies to voting by mail)

If you seriously think online voting will engage "the youth", then why not just go all the way and let them vote on their cellphones and called it "Greatest Canadian Idol"? (The sad part is that their cellphones are almost all much more secure than their computers.)

Here's what prompts this latest concern:

Elections Canada hopes it has the answers.

The federal agency has adopted a five-year strategy to boost turnout, with a focus on youth engagement.

Key planks in the plan are to communicate more frequently with voters between elections, via education programs, and to make voting more accessible to all Canadians.

Elections Canada is hoping to adopt online voter registration in two years, a tool already available in some provinces like Alberta.

Perhaps more importantly, the agency hopes to test web voting within five years, beginning with a byelection.

"The general philosophy is to take the ballot box to the voter," says Mayrand, Canada's chief electoral officer.

If the Internet gamble proves successful and security concerns can be addressed, Elections Canada would ask Parliament to amend legislation to include e-voting for general elections.

"Youth are quite familiar with technology. They expect to be able to use it for most of their life activities," Mayrand adds.

Black Mark - Calgary Herald - September 6, 2008

The problem being, voting is not like "most of their life activities".
Voting is not banking, voting is not surfing the net, voting is not listening to music, voting is not texting a friend.

Banking is an example that is often used, or online taxes, but these are completely false examples. The bank knows exactly how much money you have, as does the government, and every transaction has an audit trail and can be reversed.

Voting must not have an audit trail, and cannot be reversed (if you are going to retain a system of private, secret ballots).

Voting, since it provides the transfer of power from the very many to the very few, is a very attractive attack point for malicious actors, and I mean "attack point" quite literally - people die for their vote already today, can you imagine how much more tempting for all of the negative forces in our society to take advantage of the vast computer networks that already exist for spam and attacks ("botnets") and use them to throw the election or to write a targetted virus to compromise the election?

That's not even to touch the issues of just running the election assuming everything actually goes right. The Do Not Call List site just went down because of high demand after it was launched. The Tax servers routinely get overloaded when millions of Canadians use the online systems near filing day. That's not a problem, because those transactions are repeatable.

What happens when the election servers go down from heavy demand on election day?
People resubmit their vote? We have the vote again another day?

A human-run, human-counted paper voting system has a very small number of failure modes, all of which anyone who understands the physical world can easily work out (people can steal the ballot boxes, etc.)

Computer-run, computer-counted voting systems have almost unlimited failure modes, which almost no one except computer and network security experts can fathom.

A paper voting system must work during the voting, and during the counting, and then it just disappears.

An electronic voting system requires servers that must be secured both physically and electronically 365 days of the year, every year, in case a vote is called.

The whole idea that you would get any benefits from online voting is patently ridiculous. The only way you can make it appear to work is to ignore all of the security issues, ignore all of the ongoing cost issues, treat it as if it were a banking or other repeatable and auditable transaction, as if voting is something that should somehow be made "efficient", and make a bunch of claims about turnout.

It is a Very Bad Idea.

Previously:
November 28, 2006 let's have a discussion
November 15, 2006 Geist on e-voting

Labels: canada, internet, internet voting

DOBBS: For more than two years here, we've been reporting on the serious threat that electronic voting poses to this democracy. As a result, some states have begun to scrap their e-voting machines altogether. But a third of the nation will still be using e-voting machines in November. And more disturbing a new report says election officials often are outsourcing their responsibilities to the very companies that make the e-voting machines, even trusting those companies to count the votes. Kitty Pilgrim has our report.

(BEGIN VIDEOTAPE)

KITTY PILGRIM, CNN CORRESPONDENT (voice-over): Ellen Theisen has been a software writer for more than two decades. Living in Washington State, she was disturbed by electronic voting problems across the country, so she formed a nonpartisan citizen's activist group to investigate voting irregularities. A new report by that organization, VotersUnite.org, says that private companies now run many elections.

ELLEN THEISEN, VOTERSUNITE.ORG: Elections should be accountable to the people and run by public officials who are selected by the people to run them. So when that's handed over to private vendors, these public elections are no longer public.

PILGRIM: According to the report, many jurisdictions in the country are entirely dependent on the voting machine companies. The companies also tabulate results. State officials have to take their word for the results. The company owns the software and equipment and doesn't have to share it. It's proprietary. Election officials often can't do a recount without help. One state that rejected that arrangement is Oklahoma. In 1992, Oklahoma put in its own optical scan system, which is still owned and operated by the state.

MICHAEL CLINGMAN, OKLAHOMA STATE ELECTION BOARD: Election night, it's really all public officials dealing with the election and nobody else.

PILGRIM: Oklahoma wasn't tempted by new federal funds in 2002 when many other state and local governments used the Help America Vote Act money to buy touch screen machines.

UNIDENTIFIED MALE: There was really nothing on the market we would buy then and there's still nothing we would want to buy today.

Lou Dobbs Tonight - August 20, 2008

Labels: electronic voting, usa

Rep. Rush Holt

Anything of value should be auditable. ...

To give voters the confidence that they deserve that their votes will be counted as they intended... in every election there should be an audit.

See the full interview



Countdown with Keith Olbermann - #4 Man vs. Machine

via Black Box Voting forum

Labels: usa, video

The basic premise of e-voting went something like this:

1) Electronics makes things "efficient" and will save money.
2) Elections are a government service just like any other.

Underlying this was an extraordinarily naive concept of elections as uncontroversial events that would never be challenged, and that no one would ever make a serious attempt to commit election fraud. There would never be close races. In essence, a disdain for the whole voting process, because it implies that a single vote will never make a difference.

This is simply demonstrably untrue, as elections with contested results have been a worldwide problem, with accusations flying, often with violent repercussions. Time and time again we have seen incredibly close elections.

The reality is: the more complicated and indirect you make the voting process and the vote counting process, the more you open the system to suspicions of fraud, and associated loss of confidence in the results of the election.

As I've said before, voting is an incredible act of civic alchemy, in which the will of the many is transmuted into tremendous power for a very few (e.g. in the US, a few hundred people leading a nation of 300 million). WITHOUT COMPLETE CONFIDENCE, this cannot work; a million people are not going to hand over power to a single politician unless they are confident s/he was actually selected by a fair vote.

In a partisan environment with close-fought elections, this means that now

EVERY SINGLE ELECTION WILL BE CHALLENGED

Oh, brilliant cost savings there, you idiot technocrats. Instead of pen and paper and election results in hours with full confidence of the electorate, elections will now turn into endless recounts, court challenges, and code examinations. Since it is almost impossible to prove that machines weren't hacked, any case where there is not a full paper trail will end up basically unresolvable.

Hand counted paper ballots were never broken,
the only way to fix this problem is to go back to them.

New Hampshire is lucky they have optical scan (the least-worst of the electronic options) so that confidence can be restored by a manual recount.

For a taste of what's to come, see ArsTechnica - Analysis: Why the "Hillary hacked NH?" story is important (Updated)

Labels: electronic voting, optical scan, rant, usa

Added FeedFlare, which provides some additional capabilities for emailing and bookmarking within each post.

UPDATE: Minor template change to adjust FeedFlare.

Labels: meta

From The Daily Show, November 2, 2006

This blog has just moved to the new blogger, so some things may break.

Labels: meta

1. Procedures are more complicated than in-person voting
2. No immediate feedback / oversight if there are problems with the ballots
3. People screw up and put their signed declarations in the same envelope as their vote, thus a) spoiling their ballot and/or b) revealing who they voted for

Globe and Mail - Postal-ballot errors spark review - December 19, 2006

Municipal Affairs and Housing Minister John Gerretsen says he's considering revisions to Ontario's municipal elections law as towns and townships continue to struggle through counts of problem-plagued mail-in balloting in the Nov. 13 vote.

...

This week, judges in Bracebridge and Lindsay ordered that efforts be made to count ballots that had been determined spoiled by clerks in four Ontario municipalities because no signed declaration was enclosed.

Although some other municipalities faced with high postal-ballot rejection rates -- generally about 20 per cent -- instituted procedures before election day to try to salvage the votes, that option was refused by Lake of Bays Township in Muskoka, the City of Kawartha Lakes and the townships of Highlands East and Minden Hills.

Minden Hills is the only municipality so far where the added votes have made a difference. Out of 849 rejected ballots, 256 votes were found with a signed declaration improperly inserted inside the secrecy envelope and the vote was allowed.

As a result, challenger Lisa Schell saw her 11-vote loss to Clayton Cameron reversed to give her a one-vote majority.

Slashdot reports

"Paperless electronic voting machines 'cannot be made secure' [pdf] according to the [US] National Institute of Standards and Technology (NIST). In the most sweeping condemnation of voting machines issued by any federal agency, NIST echoes what critics have been saying all along, that due to the lack of verifiability, 'a single programmer could rig a major election.' Rather than adding printers, though, NIST endorses the hand-marked optical-scan system as the most reliable."

(in case you're wondering, Internet voting counts as a "paperless e-voting machine")

I wonder how many experts have to say that electronic voting sucks before people will listen.

Of course, crazed luddite that I am, I would eliminate the machine-based counting as well, and just have humans count the paper.

Slashdot - NIST Condemns Paperless Electronic Voting - December 1, 2006 /.

Adam asserts that I have

a very disturbing and one sided perspective

But Adam, you haven't responded to a single issue that I raised.

I welcome all perspectives, provided they are fact-based.

In particular, I invite realistic threat-risk assessments, cost assessments, and cultural assessments.

Let us take Internet voting.

1. Is the code open-source?
2. Has the code been audited by neutral computer security experts?
3. Where are the servers?
4. How are the servers protected?
5. Has the server security been audited by neutral computer security experts?
6. Who pays to protect the servers and the code for the thousands of days during which they are not being used for municipal elections?
7. Who wrote the code?
8. Have they all passed an independent security certification?
9. Do they have ties to any particular political party or other organization that might have an interest in the outcome of the election?
10. How do you mitigate the risk of paying or forcing someone to vote in the way you want, as you watch them on the Internet?
11. How do you mitigate the risk of the massively insecure home computers that are used for Internet voting?
12. When the full costs of security audits and thousands of days of security protection are taken into account, in order to provide a single day of municipal voting, how do you justify the expense?

There's a dozen questions. I have way more where those came from.
I challenge anyone to answer.