Must Reads

Elections Canada Probing Online Elections, Again

Elections Canada has announced that it plans to trial online voting systems sometime in the next few years. I’ve written about some of the concerns with online voting in the past (here and here). Christopher Parsons posts an excellent look at why Elections Canada “cannot secure an online electoral process.”

20 Comments

  1. In fact, the ban on publishing is very easy for Elections Canada to deal with.

    Don’t publish poll results as they come in.

    If EC doesn’t publish local results as they come in, rather waiting until such time as the polls close across the country, then the only thing that could be published via twitter, blogs, etc, is what an individual votes should they choose to make that public. I actually don’t see why EC and the media wants to publish local results as the polls come in. There is a difference between something being in the public interest and the public being interested in it.

  2. Tunnel Vision
    Parson’s post is a classic example of corporate tunnel-vision that it’s laughable! For example:
    ======================
    * every user’s computer and every computer attached to the common local routers. Not only the computer that you’re voting on in your home needs to be secure, but so do all the devices connected to you router (e.g. all other computers, all iDevices and wifi-connected mobile phones, appliances connected to the wifi router in your home, etc.). This means the hardware must be secure, that the operating system must be secure, and that all programs on the devices must be free of exploits.
    * all levels of the telco/cableco system. This means both physical and electronic security must be guaranteed.
    * citizens themselves must be entrusted to follow all the electoral roles; they cannot influence, threaten, or otherwise modify the course of their own or others’ electoral process.
    * audit mechanisms must be built into the system, such that peripherals (e.g. printers, email systems) used to deliver audit documents cannot be compromised.
    * bad actors cannot be introduced that could take advantage of privileged access to modify/disrupt data streams.
    ======================

    Are you kidding me? Does this guy even understand internet and communications security? For any non-ICT people reading this…just think of how many of Chris’ “requirements” have equivalents in place for our current (i.e. “paper”) method!

  3. And then they’ll trust companies like Diebold….
    Convicted of rigging in some sates? No problem! We in Canada don’t care!

  4. Dohn Joe: Mr Parsons clearly *does* understand internet and communications security; I think you are the one who does not. The big difference between these requirements listed in paper ballots and online ballots is that in paper they can be OBSERVED to be followed (or not). Security in paper ballot systems relies on many independent observers scrutinizing the entire process, from the moment the ballot paper is dropped into the ballot box, to when the papers are counted. It can easily be seen whether security is breached. With electronic voting, however secure the system is technically, it permits no effective independent scrutiny of either the circumstances under which the vote is cast or the counting process. You have to “trust” the voting system that it hasn’t just made the results up.

  5. I also have to ask
    what it is that EC is attempting to do here. Make voting more convenient? Let’s not forget that, within a computer system, generally the security problems occur when one introduces convenience features for the user. For instance, hhe user doesn’t like to have to log in every time they start the computer? No problem, we’ll set up an auto-login capability.

    With mail-in votes and advance voting, I have to ask how much are we willing to trade off trust in the results (especially if the results are disputed) against convenience for a few. There are two groups of people who would most benefit from online voting. The young, who are used to doing everything on their smartphone, and the older folks who have mobility issues. However, in the case of the latter, there are two things to consider. First of all, how many of them are not living in a place where a special polling station is created? And secondly, of that group, how many of them have a computer and the access to the potential high-speed access needed to actually vote (given that government websites tend to be fairly graphics intensive).

    If the theory is that people aren’t voting because it isn’t convenient, that may be a partial fallacy. Federally, many of the people that I know that don’t vote are that way because that is how they are voting “none of the above”. Setting up an online voting capability will do nothing to get them voting, since it most likely wouldn’t include a “none of the above” capability.

  6. Oh brother…
    @Alex:

    Really? Just so you know you really come off as a luddite in your response.

    Can you explain to me why “all levels of the telco system” must be guaranteed if you have end-to-end encryption? Why “all devices on your network must be trusted” if the one you use to vote is bulletproof and/or isolated? It just seems to me that the guy hasn’t been out of the corporate closet in a long time … you don’t need “complete control” to rely on established and proven computer science principles and technologies. Typically technicians which lack thorough understanding of these principles and technologies instinctively resort to grasping for more and more control, as opposed to whatever is sufficiently required. There’s no viable reason for half of the requirements he lists.

    Regarding your remark that electronic systems cannot have scrutiny, what do you base this on? Plain ignorance? There’s nothing that prevents scrutiny at any level in an electronic system (they’re not magic, they’re just technology). Because of the inherent automation in electronic systems a much higher level of scrutiny can be applied than is done so with the current paper method.

    The current method lacks veracity and while the implementation of an electronic means is a chance to improve why don’t technology critics like Chris or yourself criticise it?

    The “many independent observers scrutinizing the entire process” just makes me laugh. Are you implying that the government has no hand in selecting (or rejecting) the people who run our elections?!? The whole thing is run by a government department…how can you call that “independent” with a straight face?

    Now, I personally have no qualms criticising the current method because I know I cannot trust it – I, nor any Canadian citizen for that matter, have any way of verifying that our votes, once cast, are recorded, counted, and applied to the final results properly. The only way to provide this is to allow each and every citizen to PERSONALLY VERIFY the election results. And to be honest, there’s no legitimate excuse for never having allowed this.

  7. Models
    Just entering into this fray..

    There are existing models we can use, models that today have the required level of “security” that can be used to as a basis of electronic voting. The key is the “security” of the device or mechanism at each end, not the “security” of the transport.

    Take the banking and Credit Card systems we use today. It isn’t perfect, but it’s very tough to compromise and easily audited. ATM’s and CC processors abound in the “hostile” environment of the internet. Even online CC transactions happen daily without the presence of the actual card. Use this as your starting point and extend it.

    There is one problem with the above model, anonymity isn’t allowed. To be uniquely secure *and* provably anonymous could very well be insurmountable.

    Personally, I’d give up “anonymity” to the same degree as I give it up in the census, IE: How I vote is only known to a limited cadre.
    Better yet, it isn’t even recorded/tracked after authentication. 2 systems, with only a token handshake exchange. One system that authenticates and hands off with a unique token to have the user mark the ballot. Once the ballot is submitted, the token is handed back to the authenticating system to close out that particular authentication. All communications strongly encrypted.
    Such a system can be audited and tested without exposing a match between identity and ballot – unless you have access to both systems. This part is an administration and management issue, there should be no need for anyone to have admin access to both systems.
    There are plenty of flourishes you can add to this, timestamps, token checksums, etc, etc.

    The key nut to crack in this whole situation is the “security” of the end user devices used. This is the same issue much of our financial transactions have. They are the model to base an electronic voting mechanism on. It doesn’t even have to be as “easy” to use, since it’s use is very infrequent in comparison.

  8. Dohn Joe: I shall disregard your cheap shots about corporates and technicians etc. actually it tends to be the corporate suits (e.g. civil servants, lobbyists for voting technology companies) who are pushing for electronic voting solutions, while the sceptics tend to be less corporate-minded techies who actually understand the technology on which it is based. In my experience, enthusiasm for e-voting tends to be inversely proportional to understanding of the technology involved.

    If you are using a system on the Internet, it CANNOT be isolated: that is the WHOLE POINT of the Internet. Yes, every machine that the vote passes through has to bulletproof secure.

    As for scrutiny, the problem is not that scrutiny of electronic systems is not possible; rather that such scrutiny is not possible by non-experts. To be able to scrutinize an electronic voting system, you need to have a full knowledge of the workings of that SPECIFIC system. To anyone else, it IS magic. Input: lots of people enter their votes. Output: the computer spits numbers out. There is no way that anyone who is not an expert in the technology can determine any causal relationship from Input to the Output. By putting scrutiny in the hands of a small group of technical experts, you are reducing the pool of people who are able to scrutinize the voting mechanism, making it non-transparent. How do you know the “experts” are telling the truth? How do you know they haven’t just programmed the computer to make the results up? You don’t: you just have to trust them.

    By “independent” I actually mean that observers are independent of each other: there are people overseeing the process at every step; nothing to do with whether or not they are employed by government. And the fact that the whole process is observed from start to finish means that any tampering with the votes, whether by government agents or anyone else, can be easily caught. Whereas in an electronic voting system, the government or voting machine supplier could just write a program to output whatever results they want, and no-one can find out because it all happens in a ‘black box’.

  9. Secret ballot
    @oldguy: I disagree with you on one important point: I would not want my vote to known to *anyone*. The secret ballot is sacrosanct. By this I don’t mean I won’t tell people how I’ve voted. I mean that I don’t want to be able to prove to anyone how I have voted. Not to anyone at all. Not even a “limited cadre”. That is the point of the secret ballot, and it introduces a major logical problem in electronic voting system, since any auditing would violate it.

    Contrast this with the paper and ballot box voting method, where it is possible to observe the whole process of the vote, and assure oneself that it is working correctly, but it is NOT possible to find out how any individual (including oneself) voted. [Is this what Dohn Joe means by being able to “personally verify” the results? Because this ability would violate the secret ballot. If it is possible to verify one’s own individual vote, then it is possible to prove it to someone else. In paper and ballot box voting, the results are COLLECTIVELY verifiable, but an individual vote is not. And that is how it is supposed to be.]

  10. An internet based voting system is also susceptible to a few attacks which will degrade the confidence of the electorate in it. The first is through the use of a denial of service attack, so that people can’t vote using that means. The equivalent with a voting booth would be a protest outside that prevents people from entering the premises.

    The second is a man-in-the-middle attack. In this situation it is necessary for an attempt to vote to be redirected to a malicious website, probably as a result of a mistyped URL or DNS spoofing. That website acts as an intermediary between the proper EC website and the voter… it allows the voter to identify themselves without a problem but then either monitors who that person voted for or casts the ballot for someone else. You can’t deal with this by allowing only a single ballot to be cast from an IP, since people will use shared computers in libraries and internet cafes to vote.

    This is why the security of the endpoints is insufficient for an eVoting system. endpoint security is part of the issue, however the expectation of the secret ballot means that recovery from a compromised intermediary system is extremely difficult if not impossible, since it is not possible to identify which ballots were compromised.

    It isn’t necessary to actually compromise the system; it is sufficient to cause the perception of a compromise to cause reasonable concern with respect to the results of the election and the mandate of the elected party (ignoring that the last government in Canada that received more than 50% of the vote was in 1984 (http://www.parl.gc.ca/parlinfo/Compilations/ElectionsAndRidings/ResultsParty.aspx).

  11. Secret Ballots are “Insurmountable”?
    @oldguy:
    Secret Ballots are “Insurmountable” if details are publicly available? Funny how almost every school and university has overcome these “insurmountable” odds. Ever seen student’s marks in a public area of the school alongside their secret ID number? TADA!

  12. Hmmm…
    @Alex:
    I didn’t take cheap shots about technicians, this is something which plagues IT. Truly knowledgeable people are few and far between and usually found in IT startups or open-source projects. The general corporate world, being what it is, tends to suffocate bright minds in IT departments. This is doubly so for governments. I will agree with you on the suits in that they’re usually participating in the asphyxiation.

    Sure a machine on the internet isn’t isolated, but what Chris is proposing is the verification of secure systems on the network local to the voting device. If the voting device is already deemed secure then this is at best redundant and ineffective and at worst security theatre. You don’t have to secure the whole internet to have a secure system as is known to many of us who don’t run any operating systems from the software company with the single worst software security track record in history.

    I’m still not getting your point on “independent”. How do you know these “observers” of our paper ballot system are independent? Have you followed each of them around with a camera to ensure they’ve never communicated to each other?

    I tend to prefer open systems to closed ones and agree with you about the magical nature of voting machines…especially those Access DB + VB based amateur-hour machines used just south of us. However, if each voter can personally verify their vote and the results from a full list in an election then knowledge of the process becomes immaterial.

  13. Looks like a few people didn’t read my whole posting..

    The current financial transaction model doesn’t allow anonymity.

    But I also on to describe a mechanism that would allow a disconnect between identity and ballot. This is similar in model to the current voting mechanism, where you need to identify yourself in order to receive a ballot, but your choice on the ballot is disconnected from your identity.

    This mechanism requires 2 separated systems, one that validates identity and one that records your ballot choice. The only communication between these systems is a token (or cookie in today’s terms). The user communication channel would be passed from one system to the next, and carry the token within the communication. The token is a verification that the identity has been verified, and nothing more. All communication would be encrypted.

    Denial of service, man in the middle, and other issues can be dealt with using current techniques. All are well understood and mitigation techniques available.

    There are potential “trust” issues, and issues with independent verification. Certainly the average person won’t have the skills to verify the processes, but open source of the software can allow anyone with the skills, to do so. System security should never depend on “obscurity” of any kind. The “trust” issue then becomes spread across many, and anyone that really wishes to do so can obtain the skills needed to verify the process.

    The communication paths can be secured, the processes and systems can be secured.
    The biggest issue is the “security” of the end user devices and application(s) running on those devices. This is again similar to the issues the financial industry has, and the techniques used in various aspects of that industry can be used as a model.

    The system would be much simpler, and allow end user auditing of their ballot choices, if total anonymity of choices isn’t required.

  14. Student IDs are NOT secret! (And nor are marks)
    @Dohn Joe: Student IDs are NOT secret. Your student ID is most likely printed on your student card, and is needed when you do any kind of business with the education institution. Anyone can find out an individual’s student ID. And indeed exam and coursework marks are not secret, as they are known to the school. They are *confidential*, between the student and the school, but that is NOT the same as being secret, which means that NO-ONE knows. Posting marks alongside student IDs is a convenient way of communicating marks without straightforwardly linking a mark to a specific student, but they can be linked via the student ID, so anyone who knows another student’s ID knows their marks. s/student/voter/g and s/marks/votes/g, and you can see how this is not acceptable when communicating how people voted in a secret ballot. The kind of verifiability of votes that you refer to is not desirable: a secret ballot requires that it is NOT possible to link an individual to their vote.

  15. Security and transparency
    @oldguy: “…if total anonymity of choices isn’t required.” But that is the problem: total anonymity is EXACTLY what is required in voting by secret ballot. Therefore, identifying votes that have been compromised is impossible because it would violate the secret ballot. There is no way of even identifying a breach of security in such a situation. You cannot check the output against what is “expected” when the expected output is meant to be secret. You and @Dohn Joe are arguing for a “trust the programmers” system.

    And yes, security is required in all parts of the communication chain. It is not good enough to have just endpoint security, simply because neither the user nor the elections agency has any control whatsoever over any other parts of the communication chain. Your faith in non-Windows systems as being inherently secure is touching (but probably misplaced as the main reason nearly all operating system malware is written for Windows is that nearly all desktop computers run Windows), but operating system vulnerabilities are not the only source of network insecurity. It could be, for example, someone at an ISP deliberately changing its DNS to facilitate the kind of “man-in-the-middle” attack that @K-Anon describes. Anyway even if YOU are secure because you are running Linux, this is no help to all the people who are running possibly compromised Windows computers. If any are compromised, then the election is compromised. And as I keep saying you cannot find out that this has happened without violating secrecy.

  16. independence and expertise
    @Dohn Joe: “independence” of people who oversee the ballot process has NOTHING to do with whether they communicate with each other. Of course you can be completely paranoid and assume that anyone in the pay of a government agency is working to some sort of agenda, which might include election rigging. But in case it escaped your notice, elections are PUBLIC events. Anyone can apply to come to observe an election count. Voting takes place in public. Any irregularities in the process would be noticed, and in any mature democracy be brought to attention. And while voting stewards and counters may be paid by the local council or election commission, the tellers for the candidates are not, and nor are the count observers for the campaign temas of the candidates or parties. There is no way you can say they are not independent of each other: opposing candidates are not going to connive to stitch up the ballot. Let’s walk through a typical paper election.

    At the start of day, the ballot boxes are delivered to the polling stations. They are checked to be empty, the lids are put on, and the boxes are locked. The stewards who sit at the desk (who may change during the day) where the boxes stand and the lists of voters are kept do not have access to the boxes. Attempts at tampering would be noticed, not just by other stewards but also by voters. The tellers (who as mentioned are volunteers for party and candidate campaigns) might also notice anything irregular. Attempts to improperly influence voting in the voting booths would be noticed by the stewards (and attempts to do so by the stewards themselves would be noticed by the voters).

    The day passes. Voting is finished. The doors to the polling station are closed. The ballot boxes are collected and driven to the counting hall, again by people who do not have access to inside them. Once at the hall, the ballot boxes are opened. Ballot boxes that are missing or late, or are found to be tampered with, can be noticed. The hall is already full of people, including counters, observers from party campaigns, and perhaps even ordinary members of the public. The count begins. It happens in full view of everyone there. Any systematic scheme of putting ballot papers on the wrong pile is likely to be noticed. And anyone can ask for a recount.

    So the process is transparent; it may not be 100% tamper-proof (then again, probably nothing is) but it is tamper-EVIDENT. A serious government attempt to rig an election would involve the connivance of many people who are not (apparently) in the pay of the government; possible, maybe… in Zimbabwe or some other pseudo-democracy or tinpot dictatorship but in a mature democracy? IT WOULD BE NOTICED. And attempts by private individuals or organizations to rig elections (a much more common occurrence) certainly are.

    This is the great advantage of the paper ballot system: it can be verified (i.e. the votes as a whole can be verified) by people WITHOUT technical expertise. It is NOT ACCEPTABLE for the system to be verifiable only by people with special skills, as you are describing e-voting systems. It does not matter if the system is open-source or free/libre software: most people do not have the time or inclination to learn the specialized computer knowledge required to check that the program is receiving and counting votes correctly. I work in IT, but not as a developer, so I have no desire to wade through anyone’s source code to see if it does what it is supposed to. No-one would unless it happened to be their hobby. And anyway this is irrelevant, since you don’t know that the code that is publicly available is the code that is being run, or that it is running using a standard compiler, and not a modified one that systematically produces doctored results.

  17. @Alex

    I described a way anonymity can be maintained. It is more cumbersome, but it can be done.

    I suggest you do some reading on “man in the middle” attacks, how to set one up, and how to prevent it. Investigate some of the deeper uses of asynchronous encryption and dynamic certificates. As I stated above, these are well known vectors and the methods to prevent them are also well known.

    Using current technology, the systems/processes and the communication paths can be secured. This might seem like rocket science, but it isn’t impossible or even all that difficult. It is well understood by many in the industry, no matter that it may not be generally implemented – yet.

    From the general discussion, it appears there might be a few vocal people that haven’t spent much time writing code to secure communications paths and system applications. It can and has been done, with high levels of security.
    (Hint: Investigate some of the more oddball technologies used in ICMP and DNS based VPNs.. Look into methods used to defeat DPI, and a range of other lesser used technologies. Think about their applications to “security”.)

    The weak point will always be the end user devices.

    BTW.. This isn’t the place to get into another Windows vs other argument. Suffice it to say that anyone deeply familiar with the design of more than 3 or 4 different operating systems (counting all versions of Dos/Windows as one evolving design) recognizes that the Windows “security issues” go well beyond it’s popularity.

  18. E-voting has been studied in other places
    The situation is not exactly analogous, but I am still a bit surprised that nobody has commented on the problems the US has had with electronic voting (direct recording) even though their approach (computers in polling locations) is much less ambitious than allowing any random Internet-connected computer to enter a vote.

    I’d refer anyone interested in the issue to the Risks Digest archive (http://catless.ncl.ac.uk/Risks) and Rebecca Mercuri’s investigations of the problem with e-voting (http://www.notablesoftware.com/evote.html)

  19. @David

    I agree, and I have looked. Lessons to be learned from the US experience. In fact most of the “lessons” and issues have already been discussed here.

    The major issues arising from that analysis boil down to hardware exposures, proprietary software, and “trust”. Effectively they boil down to the same weak links I mentioned above, end user device issues and the “trust” of the systems. Open source can spread “trust” out to many with the skills. The end user devices will the hardest part of this nut to crack.

    Everyone seems to be overly concerned about the “internet” part of the equation, when the really hostile part isn’t the internet or systems side (well understood and manageable), but the end user device side of things.

    The “trust” side of things is a social aspect, and seems to often boil down to a distrust of anything people can’t verify personally. Very few people will actually want to watch and verify the voting, the transportation, and counting, but the fact that they can, and would understand the process, imparts a measure of trust.
    Conversely, people do have a measure of trust in things where they don’t understand the processes, but can audit the results. I stated above that anonymity might be impossible with an electronic voting system. Technically we can make it work. But it would require a change in the way we “trust”, to be socially acceptable.

  20. How would Bill C-52 affect private ballots?
    Michael, How would Bill C-52 affect private ballots?