Columns

Casting a Vote Against Internet Voting

With the increasing shift from analog to digital, some elections officials are unsurprisingly chomping at the bit to move toward Internet-based voting.  My weekly technology law column (Toronto Star version, homepage version) notes that last year, Elections Canada officials mused about the possibility of online voting trials, noting the potential benefits of increasing voter participation, particularly among younger demographics.

More recently, the province of Alberta opened the door to incorporating new technologies into their voting processes as part of an electoral reform package.  New trials would require the approval of a legislative committee, but the province's Chief Electoral Officer acknowledged that online voting may be coming, noting "online voting is something that's on the forefront of people's minds. . . people say, 'I can do my banking online, but I can't do my voting online'."

The enthusiasm for Internet voting is understandable. At first blush, there is a certain allure associated with the convenience of Internet voting, given the prospect of increased turnout, reduced costs, and quicker reporting of results.  Moreover, since other security sensitive activities such as banking and health care have gravitated online, supporters argue that elections can't be far behind. Yet before rushing into Internet voting trials, the dangers should not be overlooked.

Democracy depends upon a fair, accurate, and transparent electoral process with outcomes that can be independently verified.  Conventional voting accomplishes many of these goals – private polling stations enable citizens to cast their votes anonymously, election day scrutineers offer independent oversight, and paper-based ballots provide a verifiable outcome that can be re-counted if necessary.

While technology may someday allow us to replicate these essential features online, many of them are currently absent from Internet voting, which is subject to any number of possible disruptions.  These include denial of service attacks that shut down the election process, counterfeit websites, phishing attacks, hacks into the election system, or the insertion of computer viruses that tamper with election results.

These concerns are based on real-world experience.  The Internet Corporation for Assigned Names and Numbers (ICANN), the organization that administers the domain name system, ran an online board of director election in 2000.  The experience was fraught with technical difficulties, leading a reviewer to conclude "the technical weakness in the registration system made it virtually impossible to assess the integrity of the voters' list, the security of the PINs, and secrecy of vote."

More recently, the Netherlands used Internet voting as part of its 2006 parliamentary elections.  The online option was an alternative for Dutch citizens working or living abroad.  Nearly 20,000 valid Internet votes were received at a cost of approximately 90 euros per Internet voter.  Two years later, the country implemented a ban on Internet voting.

The Canadian experience is limited primarily to municipal elections.  Several Ontario municipalities have offered Internet-based voting, enabling local residents to vote without leaving their homes.  Residents were required to pre-register for Internet voting and were provided with detailed instructions on the technical requirements to "vote anywhere."

Caution on Internet voting appears prudent, since experts have identified a long and costly list of necessary precautions, including random spot checks and post-vote verification programs to preserve anonymity.  Given the security risks, opening the door to provincial or federal Internet voting seems premature.  In the zeal to increase voter turnout, the reliance on Internet voting could inadvertently place the validity of the election process at risk.

28 Comments

  1. Darryl Moore says:

    Not Internet elections but Internet voting!
    Michael, I could not agree more with this blog entry. In fact I would go further and say that Internet voting will never be a viable alternative for electing our legislative representatives. There is currently no conceivable solution to the issues you raise that would allow it.

    At the same time I would suggest that the Internet would permit a more direct form of democracy in cases where anonymity were not important. In particular, Parliament.

    In our system, we elect MPs who essentially carry a proxy for every member of their constituency (~100,000 ppl). Internet voting would allow us to control the use of that proxy more directly by allowing us to retract our own proxy and vote on bills directly in Parliament. So a proxy for 100,000 people becomes 99,999 and I get to cast my own vote of 1. This is admittedly a very small voice in Parliament, but it is a direct voice, so it is important; and the threat of enough people exercising this right through the Internet might go a long way toward fixing our parliamentary system.

    Since there would be no need for anonymity in this system, transparency becomes much easier to accomplish. Oh, I would so love for the opportunity to cast my own vote on some of the Bills that come before that dysfunctional institution.

  2. Our last municipal election in Halifax tried to use internet voting and I think it was a fiasco. The media was full of reports of of people getting two cards under slightly idfferent versions of their name. I myself got a card for me and for my ex-spouse who left the province 4 years ago. In-person voting at least gives some (flawed, rudimentary) means of preventing these mistakes from being exploited.

  3. Anonymity is easy — privacy is the problem
    Technical problems can be solved, and there are already protocols that provide perfect anonymity with verifiability.

    But the fundamental problem with Internet voting is that there’s no way to guarantee that the voter is alone when filling out the ballot.

    Until someone figures out how to make sure that nobody is “guiding” me as I use my laptop to vote, Internet voting is stillborn.

  4. Getting The Government We Want Isn’t Just About Voting
    Well spoken, Michael.

    Just as there have been many notorious issues with electronic voting machines south of the border we should expect similar problems and abuses to occur with the implementation of net voting. There is no pressing need for this.

    While waiting for the inevitable bugs, flaws and security issues to be resolved before launching a net voting process we would be far better served to increase the use of the net to follow up on our current voting methods. Getting the government we want (or deserve) means playing a more active part in how that government operates. The net offers us increasingly powerful opportunities to hold our elected representatives accountable, answerable and responsive to the needs and desires of the citizens of this country.

    Let’s use the net to get the government working for us – then we can focus on using the net to elect the government we want.

  5. @Darryl Moore

    I dream of an idealistic day where voting is secure enough to have a society where the elected officials are merely “custodians” to ensure that the system stays up and running and to introduce ideas and bills to the citizens and leave the majority of the voting on these ideas to the citizens.
    But in reality, security to prevent not only hackers, but to prevent propaganda and lobbyists from swaying the minds of the citizens with media ads and over-simplification of bills to spin them in ways they’re not meant to be interpreted would be nearly impossible.

  6. The issues are not just technological. Our voting system is based on a few assumptions that need to be addressed in any e-voting system.

    1) The assumption that the person placing the vote is eligible to vote.
    2) The assumption that the person placing the vote only votes once.
    3) The right of the person to an anonymous vote.

    The challenges are both technological and logistical. We have the means to deal with the technological issues. For instance, a pair of encryption keys. One is assigned to the individual and is used for the purposes of items 1) and 2) above. The second is used to encrypt the actual vote. The receiving system does not have the second key; it simply deals with the first and passes on the encrypted vote to another system once authentication has taken place.

    The bigger problem is logistical. How do you securely distribute the authentication keys?

    Is eVoting the cure for the malaise of voters who don’t vote? Not sure, but I doubt it. I suspect the bigger issue is a sense of hopelessness. That many of the votes that aren’t cast are a means of protesting against the established parties. Will eVoting cure that? No. The way to deal with that is to introduce, onto the ballot, a “None of the above” option.

  7. Darryl Moore says:

    @J.H.
    J.H. saz:

    “But in reality, security to prevent not only hackers, but to prevent propaganda and lobbyists from swaying the minds of the citizens with media ads and over-simplification of bills to spin them in ways they’re not meant to be interpreted would be nearly impossible.”

    I don’t think you can reasonably make that argument about propaganda and lobbyists without also applying it to general elections, in which case you are arguing that any kind of democracy is inviable, and I would say you are wrong. We have to contend with lobbyists and propaganda all the time. That is why we have limits on campaign contributions and have publicly financed political parties. In reality, the people that would be most likely to take their proxy back from their elected representative, so they can cast their own vote, would likely all be well informed.

    With regard to vote security. If you vote yourself and that vote becomes part of the public record, it becomes a very easy thing to ensure that there is no vote tampering. Using public/private key pairs it would be quite simple to ensure that no one exercises your vote for you. Tampering could be made very very difficult. Such security only becomes difficult where your vote is also expected to be anonymous.

    Marc, makes a very good point about making “sure that nobody is ‘guiding’ me as I use my laptop to vote”. This could well be an issue in many countries, and for many kinds of votes. But for what I am promoting (Direct voting of Bills in Parliament) it would take such a herculean effort to do, looking over millions of shoulders, that I do not see it as any more of a threat than mail in ballots for general elections, which many countries currently do without problems.

  8. Much as I think the underlying idea makes some sense, direct voting on bills is a pretty scary idea in a country with as little political awareness as ours. Minority rights, in particular, would probably be in for a shellacking à la CA Proposition 8.

    Frankly, and it pains me to say this, I don’t trust my fellow citizens to wield that sort of power without making this country a social and fiscal mess.

  9. Jason Keirstead says:

    Michael, while I usually agree with you on your posts, I have to disagree with you on this one. While some of your points are valid, and will be difficult to overcome, I have no doubt that they *can* be overcome, we just have to figure out the best ways to do it. The Dutch example is not really valid since 2006 was essentially a millennia ago in Internet time.

    The analogy I like to use is that if I can do something as important and potentially risky as filing my taxes online, then why should I not also be able to vote online. The CRA has figured it out, why can’t Elections Canada? Yes, I know there are a few more issues involved with an online vote, but none that can’t be overcome.

    There is absolutely no doubt in my mind that online voting would increase voter turnout by at least double the current rate, perhaps triple – because people are lazy, and do not want to go to polls. As such, figuring out how to do it should be a top priority in order to ensure the people’s will actually is being followed.

  10. Healthy to get out
    Another dimension than security is that it is probably a healthier public participation experience to be physically in a location with other voters, reminding one in a way the internet doesn’t that there are other affected by one’s vote. Like online comments, online voters are more likely to be both too selfishly “themselves” and too cut off (if not actually drunk) from the reality and consequences of their votes.

  11. DNSSEC
    It is interesting that Michael mentions ICANN, because there is one technical issue with internet security that must be resolved before any secure voting system on top of the IP protocol is possible: DNSSEC. The domain name system is vulnerable to attacks allowing impersonation of a trusted party (can be used to bypass any ssl/tls or other type of key-exchange encryption.

    The solution is the adoption of DNSSEC . It requires that the root domain (.ca for Canada) be signed with a certificate, which must be done by the Canadian Internet Registration Authority. AFAIK there is no plan for DNSSEC adoption in the .ca domain.

    Anon-K is correct that internet voting will not really promote voter turnout, the voting system must be changed for that to happen. A good idea might be the fractional, reassignable voting system developed by and for the Maemo community elections (it is discussed on youtube.com/fosdemtalks) but that is another issue entirely.

    Technically these are some of the things I would need to be assured that online voting might be safe:
    – DNSSEC adoption
    – Only use public cryptography technologies
    – Open source distribution including all firmware for voting devices, with built-in hashing capabilities for each voter to verify the integrity of the system
    – Use of physical interaction in the procedure to enhance security

  12. Darryl Moore says:

    @Jason Keirstead
    “The analogy I like to use is that if I can do something as important and potentially risky as filing my taxes online, then why should I not also be able to vote online. The CRA has figured it out, why can’t Elections Canada?”

    The problem with both your analogies is that neither one includes any expectation of anonymity on your part, and there is less (or no) need to ensure the process is transparent and verifiable. It is simply not possible to have an online process that is transparent varifyable, and that guarantees anonymity as well. At least one of those criteria has to go for it to work.

    What you are asking for is no different than DRM snake oil salesmen who claim that we can have Internet DRM and privacy at the same time. NOT!

  13. First past the post is the problem, not a lack of online voting option
    The voter apathy is not because of lack of online voting, it’s because 50% of all votes are wasted. If you don’t vote for the winner in your riding, your vote accomplishes nothing, because per-vote federal funding for political parties does not give as much effect.

    In the last election, Green and Bloc got around 10% of the votes, but I don’t see any Green party members in the parliament.

  14. So, I’ve been thinking about this a lot after talking to people who are working on secure voting. The problem is that the best way to break this is simple.

    “Independent” lobby goes out (likely a group that is actually out of the country), register a site online, which has a third party wrapper around gecko. The simple web browser goes to one webpage (the voting one) and identifies as Firefox (since it effectively is). You type in a paypal number (or whatever), and you vote. If you vote for the right group (indicated in instructions), you get $5. “Thirty seconds for $5” signs posted around anonymously.

    Simple man in the middle attack (or, something very related to it) which one side cooperates in. Really no good way to do it without securing the computer the person is using totally.

  15. Darryl Moore says:

    @Sean
    Except that accepting a bribe for your vote is illegal and I’m not sure anyone would want to risk real jail time for 5 bucks.

    If you are using private/public keys to validate users, then you would also have to give the man in the middle your private key. That would be sort of like selling your personal ID for $5. Again unlikely. Especially if the government started using such personal digital IDs for administering more government services online as well. Would you give away your sin number if you thought someone might misuse it and result in the loss of YOUR government services?

    No. the only problem is that it cannot be done in a way that would protect the voters privacy. Exactly the same problem as DRM!

  16. The problem of course being that there’s no good way to detect this attack (since the browser is actually Firefox, and you simply send the data two places). Technically it’s illegal, but there’s no way to secure against it, especially if the bribers are out-of-country (say, the USA likes to change our laws, but so do other countries), or simply moved away to be used as agents.

  17. Is it perfect? Probably not…
    In our current system, we stand very visible in front of crowd and vote. While the crowd doesn’t know how I voted, my presence is noted (and even recorded). I thought I even noted at one time that my ballot had a number and that number was written against my name… so in thoery, who I voted for, could actually be recalled. The illusion of privacy is there through. Later when our votes are counted, there’s the possibility of miscounts, “lost votes”, bribed officials that “steal” votes, etc, etc. Our current system is filled with potential problems, but that doesn’t stop us from using the current system.

    Should we wait until the online is absolutely perfect before we start using it? probably not. If we had waited for the current system to be absolutely perfect, we wouldn’t have voting at all. An online system won’t be perfect, but I would still like to have the option.

  18. Chris Brand says:

    The difference is in whether interference can be detected
    @Jason Keirstead
    If somebody else uses your bank account or messes with your tax return, there is an alternate path that lets you know (you find you can’t withdraw money from your account, you get demands from CCRA, you get phone calls from your bank). If somebody changes your vote, there’s no way for you to know. Voting systems also make a far more attractive target – governments generally have much more money than individuals 🙂

  19. Don’t make it too easy to vote.
    A few exceptions aside, if you are too apathetic to get off your sofa then you don’t deserve a vote.

  20. No bloody way
    Never.

    How comfortable would you feel voting with the NSA, CSIS and (if Bill C47 went through) your local law enforcement agency watching over your shoulder?

  21. @Jason K
    Jason. What is the impact to Canadian society if your personal taxes are compromised? For you personally, and the peopleinvolved, the impact is large. But does it call into question the validity of an election? No. The problem with (potential) electoral fraud is that it does the latter.

    As I said before, the push to eVoting, to me, seems to be based on the assumption that people aren’t voting because they don’t have transportation to the polls, don’t know where the poll is, or can’t be bothered to go there. I question the validity of this assumption. Will you see some increase? Sure. Will it “increase voter turnout by at least double the current rate, perhaps triple”, well, given that in 2008 59.1% of the eligible voters turned out, even doubling would be clear evidence of electoral fraud.

  22. strunk&white says:

    compulsory voting
    If voter turnout is the primary driver, why not compulsory voting like they have in Australia? Don’t vote, receive a fine. Increases voter turnout dramatically. Spoiled ballots allowed for those uninspired by the list of candidates – spoiling one’s ballot has always been the “none of the above” option, along with write-ins.

    For direct voting on all issues, see the California system of referenda and proposition voting. Then look at the state of the California economy, which has immense difficulty ever raising taxes after the passing of Proposition 13 in the 70s. Representative democracy, while imperfect, has its advantages.

  23. none of the above
    “spoiling one’s ballot has always been the “none of the above” option”

    Not quite.. A spoiled ballot is almost equivalent to what we are seeing today, voter apathy. It doesn’t count for anything.

    A “none of the above” option is the logical extension of the idea that “even you don’t have a preference to vote for, there is always someone to vote against”. It is a valid vote, and represents a valid voter choice. Again, the logical extension of a riding majority voting for “none of the above” means that NONE of the candidates are acceptable to the majority of voters – time for a new set of candidates and a new election. It serves as a wakeup call to existing candidates/parties and opens the door to more independent candidates.
    Parliamentary representation is only as good as the candidates. When the choices boil down to “bad or worse”, voter apathy tends to set in. There are various ways to counteract this, but “none of the above” is as good a method as others – and has never really been tried anywhere.

    Using digital technologies to implement referendum voting on all issues is perhaps too big a step to take all at once. But that doesn’t mean the idea doesn’t have merit. If each elected candidate used these techniques to proactively “get the pulse” of the people they represent on issues, it would be a step in the right direction.

    Bringing our government processes into the digital age doesn’t have to be “all or nothing”. Incremental steps benefits everybody. The overall architectural design should allow for expansion and integration, but can be implemented in smaller pieces.

  24. Don’t throw out the idea yet
    The potential for fraud is enormous when you do not have well audited and a transparent processes during an election (It happens in other countries without Internet voting). I support the idea of using the internet helping to enable democracy (advanced mail proxy voting already takes place in our elections) but agree that the idea cannot be rushed.

    For example, the USA had some issues with using electronic voting machines related to the poor auditing of the machines themselves, and not properly implementing a procedure to verify the integrity of the vote.

    Some ideas:
    -Some sort of verification process to check if your vote was cast correctly.
    -Authentication of the voter (for online voting) could involve one-time certificates/keys when you cast the ballet.
    -You could augment the online vote with the physical mail system (physically mail pre-registration information to the voter)

  25. Unsolveable problem.
    The problem with internet voting is that the objectives are in competition with themselves. We want something which is anonymous – no one can tell who I voted for, yet I want to be sure that my vote was correctly recorded. We also want it to be user friendly, yet we want the system to be simple to audit. Finally we want it to be convient for lazy voters – at home voting – but we want it to be difficult to fake voters or votes. We simply cannot solve all of the problems at the same size.

  26. I add electronic voting machines, and optical readers to the concerns. The use of these machines in my home town, has led to a city government who’s election is by no means legitimate or supported by the public. The court battles that have ensued have cost taxpayers millions. There is no end in sight for the negative impacts on city government, yet council supported using the electronic counting machines again for 2010 election. Until strong standards and processes can be developed and privacy enhanced secure technology is available, and tested and -proven, these machines should be banned.

  27. Matthew Weber says:

    ACTA Facebook group
    Another featured blog post here: http://www.vulcantechonline.com/home/2010/3/15/anti-counterfeiting-trade-agreement.html
    and make sure you join the facebook group here http://www.facebook.com/group.php?v=wall&ref=mf&gid=387879991802

  28. some have figured it out
    If you are going to give examples of why it can’t work, you need to look at places that have had positive results from online voting. Explain away Estonia’s success with online voting and then I’ll say it can’t be done. After all, Estonia was part of the Soviet Union untill 1991 and now they are surpassing the west in ‘e-everthing’.