re: internet voting – A software engineer’s critique of Elections Canada Chief Electoral Officer’s plan

Internet voting in a by-election held after 2013

Background

In this article, I am writing as a reporter and also as a computer scientist with 10 years of software engineering experiences plus a keen interest in internet security & internet voting issues for over 10 years. To me, there are many potential issues with internet voting and I will discuss two main issues I see in this article.

This recent discussion of  internet voting is a result of Elections Canada Chief Electoral Officer’s report on the 41st general election (PDF file) (emphasis and link added),

Under section 18.1 of the Act, the Chief Electoral Officer may carry out studies on alternative voting methods and test electronic voting processes for use during general elections or by-elections, subject to the approval of the House of Commons Standing Committee on Procedure and House Affairs and the Standing Senate Committee on Legal and Constitutional Affairs. Elections Canada has been examining Internet voting as a complementary and convenient way to cast a ballot. The Chief Electoral Officer is committed to seeking approval for a test of Internet voting in a by-election held after 2013.

1) “Security” of internet-based voting system vs. Advantage of Paper Ballots

Paper ballots used in Canada have one major security advantage: it takes a long time to fake or temper with the votes. Can you image, with our existing checks and balances, someone physically temper with (i.e. change the voters’ votes) 10 paper votes, 100 votes, or 10,000 votes? I honestly can’t. There are just so many Elections Canada people and election scrutineers from all parties to make tempering with physical votes almost impossible.

Now, can I, as a former software engineer, image someone with the smart and knowledge of the particular internet voting system’s precise weakness, electronically tempering with 100,000 votes in a general election? Absolutely!

Am I just imagining potential security weaknesses and worrying too much? Well, the D.C. Board of Elections and Ethics had some serious eggs on their faces in Oct 2010. They thought they had a secure internet-based voting system enough that they ask people to help test their system. Only after a few days of testing, their embarrassing failure was documented by Washington Post in “Hacker infiltration ends D.C. online voting trial”. [HT Bruce Schneier]

Last week, the D.C. Board of Elections and Ethics opened a new Internet-based voting system for a weeklong test period, inviting computer experts from all corners to prod its vulnerabilities in the spirit of “give it your best shot.” Well, the hackers gave it their best shot — and midday Friday, the trial period was suspended, with the board citing “usability issues brought to our attention.

Here’s one of those issues: After casting a vote, according to test observers, the Web site played “Hail to The Victors” — the University of Michigan fight song.

“The integrity of the system had been violated,” said Paul Stenbjorn, the board’s chief technology officer.

Let me quote Bruce Schneier which I totally agree (emphasis added),

My primary worry about contests like this is that people will think a positive result means something. If a bunch of students can break into a system after a couple of weeks of attempts, we know it’s insecure. But just because a system withstands a test like this doesn’t mean it’s secure. We don’t know who tried. We don’t know what they tried. We don’t know how long they tried. And we don’t know if someone who tries smarter, harder, and longer could break the system.

Fair election is the foundation of our democracy, as a software engineer of large scale safety and mission critical systems for 10 years, I try speak with an impartial view. I honestly don’t know if we can build a secure internet voting system that I would risk Canada’s democracy.

Sure, other countries may have internet-voting which their citizens approve. But what other countries do or don’t does not necessarily mean it is right! I care about my own country’s democracy which is why I am speaking out.

By the way, don’t even think about security by obscurity (using secrecy of design, etc) because it is a really bad idea!

2) Secret Ballots in Polling stations vs. Internet voting location

Polling stations in Canada have a specific set of requirements and the ability to let voters cast their ballots in secret is one of those fundamental requirements.

Unfortunately, when voting is done over the internet, we can be no longer be sure all ballots are casted without undue influence from others in the “voting booth” because there isn’t a “voting booth” anymore.

Imagine a religious, trade, activist, etc group encouraging their members to vote on a computer at a common location for “elections parties”, while their leaders keep coercing their members. Can we stop this easily and effectively?

Even if the group is as small as a family, should we allow the sanctity of & requirement of “secret ballots” be violated by over-eager parents, grandparents, relatives, or friends?

3) My brief replies to interesting comments and “solutions” from this CBC News August 18 at 6:43am Facebook posting.

  • From Melissa Dimock, “I’m a little leery of it, but it’s being done elsewhere. I do think that making voting easier, more accessible and convenient would improve voter turn-out. […]” August 18 at 6:45am

My reply: I don’t know if internet-voting will increase voter turn-out for the long term once the novelty factor is gone. But assuming it does, does it worth the risks stated in (1) & (2) above?

  • From Steve Cooper, “I’m not too down with it. I wouldn’t trust it. Imagine on election night the result is a massive swing to a party you are not pleased with. How confident would you be that the result is legitimate?” August 18 at 6:51am

I have to agree with Steve.

  • From David Jamieson, “Nope and Nope again. It is a ridiculous idea in this age of hacking. A vote in a democracy is far too important to be left in the hands of so few. […]” August 18 at 6:52am

I also agree with David.

  • From Erika Belanger, “if you can submit your income tax or do banking on the Internet, we should be able to vote that way. Might have more voters that way. There as to be a way to make it secure…..” August 18 at 6:54am

I think Erika‘s thought may be shared by many Canadians. Why is it safe to submit income tax and do banking on the internet but not so for voting?

Well, lets put things in context with #2 above. We have no worries if someone is watching and monitoring how a person is paying income tax or banking online. But we have serious concern if someone is monitored and being “influenced” on how they vote in an “internet voting booth” at home or at any location.

Hacking our internet banking while profitable to criminals, imagine criminals help hack an election and control Canada’s political future? Our votes, paradoxically, are much more valuable in some sense even many fellow Canadians routinely give up their rights to vote.

A healthy democracy needs constructive debates. Please add your views, I will try to selective reply to some of the comments.

*** References & Notes ***

Bruce Schneier is an internationally respected computer security expert, he is the expert that I have read and admire for over 10 years! In this article, I quoted his Oct 2010 piece “Hacking Trial Breaks D.C. Internet Voting System” extensively. His earlier but comprehensive Dec 2000 piece “Voting and Technology“, while written over 10 years ago, still contains some valuable insights (even thought they may not be his latest thinking). His Dec 2003 “Computerized and Electronic Voting” is also a good read.

4 Responses to re: internet voting – A software engineer’s critique of Elections Canada Chief Electoral Officer’s plan

  1. Jan Rubak says:

    Hi Kempton. I’m basically in agreement with you, which feels oddly Luddite-ish for techies like us: electronic voting is a bad idea.

    The only way that an electronic voting system could ever be acceptable in a democracy is for its inner workings to be completely transparent. This transparency would also have to extend to its operation during election night, and not just to the underlying code that is supposedly being executed, otherwise it would be very difficult to have any real confidence that the software has not been compromised by any individual parties along the chain from development to deployment. I don’t think such transparency during operation could be achieved without compromising voter anonymity, which makes it a nonstarter in my opinion.

    Even if the breakdown of anonymity weren’t an impediment, I agree with you that a large coordinated electronic voting system would probably be much easier to tamper with in subtle ways to effect a small swing on a large scale, enough to potentially tip the balance unfairly one way or the other without it being easy to detect (operational transparency notwithstanding, scrutineers are still a finite resource). There seems to be a curious electoral dynamic in our western democracies (especially in effectively two-party systems like the U.S) where every major vote comes down to a very fine-line divide, essentially 49% vs. 51%. I have no idea what the underlying drivers of this phenomenon are (it seems to hint at some fundamental flaw in the social dynamics of the system design) but it makes large-scale subtle-effect tamperings have real consequence.

    Obviously a traditional paper ballot system is not immune to “hacking” by dishonest election officials, e.g. through ballot stuffing or falsified reporting of returns. But as you say, in this case it is far more difficult for a small group of people to effect a large corruption of the result. I would’ve also said that the benefit of the traditional approach is that it generates a paper trail, as opposed to ephemeral patterns of electrons, and such a permanent record enables recounts and other subsequent scrutiny in the event of a contentious election result. Now that I think about it, though, having an electronic voting system be transparent during its operation on election night solves that problem, since the full history of the “machine state” becomes part of the public record in the process (preserved by duplication in the public domain, so to speak).

    The clear advantage of an electronic voting system over a paper ballot system is ease of logistics and reduced deployment costs, but I think the additional complexities/uncertainties that are introduced in the process would always make the paper ballot system preferable. Sometimes low-tech is actually the best solution. (E.g. Look at tools that we use everyday: a drinking glass, a hammer, etc.; just because it might be possible to add blinkenlights and other fancy techmonology to something doesn’t mean that that will markedly improve its function.)

    I don’t actually know how many times electronic voting has actually been tried in public elections, but I gather that the Diebold machines that some districts used during the 2004 U.S. presidential elections had some very worrisome security holes.

  2. kempton says:

    Jan,

    Thank you very much for sharing your insight here.

    Agree re potentials of “ballot stuffing” even for our paper ballots but when those illegal actions happen, more often than not, they seem to be caught and exposed.

  3. Jamie Jordan says:

    Kempton thanks for this article. I’m going to post it on our Facebook group page if you don’t mind:

    https://www.facebook.com/groups/csave/

    Please join our group. The more of us there are the better we will be able to make our point to the different levels of government.

  4. kempton says:

    @Jamie

    I don’t mind you posting a link of the article to your Facebook group. It is important for us Canadians to hold Elections Canada and our government accountable.

%d bloggers like this: