Why Online Voting is a Bad Idea for #ERRE

ballot-boxComputer security people will be able to tell you:

You can have a secret ballot OR a secure system, but not both. Internet banking and commerce can be secure, but only because the bank knows who the customer is.

Fair Vote Waterloo says:
On Referenda, Consultations, and Postcards

Australian Computer Expert Vanessa Teague:
Election explainer: why can’t Australians vote online

Daily Dot takes a much more technical look:
Online voting is a cybersecurity nightmare

“The” computer security expert, Bruce Schneier agrees:
More Voting Machine News

Barbara Simons asks: Why can’t we vote online?

Online voting is one of the things Canada’s ERRE Special Committee on Electoral Reform has been tasked with studying, so WRGreens own Bob Jonkman framed this important issue in the Canadian context in his Submission to the ERRE Consultation:

“I am opposed to electronic voting and online voting. I am a computer consultant by profession, and nothing I see in my work shows that people’s home computers or even the computers in most businesses have the security capable of upholding the Integrity requirement, ensuring reliable and verifiable results.

“The main issue with online voting is not computer security, but a fundamental incompatibility between voter identity and the secret ballot.

“When voting takes place outside of a polling station it is important that voter identity is established to prevent fraud. It must be provable that the ballot filled in online was actually filled in by a registered voter, and not by someone impersonating that voter. To achieve this, voters need to be issued a ballot with a serial number or barcode to ensure that only that one ballot is filled in for that registered voter. But if every ballot cast has a serial number, then the completed ballot with the voter’s choices is identifiable with the voter’s name and registration information. The secret ballot is impossible, and the Integrity criterion cannot be met.

“When voting does not take place in a polling station then it is possible that a voter will be coerced into voting according to the demands of the “head” of the household, or voting at the workplace according to the employer’s demands. Without the scrutiny of Elections Canada, voting integrity cannot be ensured.

“But computer security is an issue too. People’s personal computers are constantly being attacked by computer viruses, malicious web sites, and denial of service attacks from compromised Webcams. And spam. The difficulty of ensuring online voting integrity is at least as great as is the difficulty of eliminating spam (unsolicited, unwanted e‑mail, sometimes commercial in nature, sent in bulk). If you haven’t experienced problems with spam then it is likely your E‑mail Service Provider is filtering your e‑mail for you – but how many good messages are being filtered accidentally? You’ll never know, because you’ll never see them.

“There are actually very few large-scale spammers on the Internet, maybe a couple of dozen at most. But they’re responsible for almost all the unwanted e‑mail that clogs up billions of e‑mail accounts in the world. It shows how a few bad actors on the Internet can completely overwhelm an e‑mail system. Similarly, a few bad actors on the Internet can completely compromise an online voting system. If we can’t secure our mail systems to solve the spam problem, it is unlikely that we’ll be able to secure everyone’s computer to guarantee online voting integrity.

“It is unfortunate that there were so few computer security experts providing witness testimony to the Committee. Almost every computer security expert who has commented on electronic voting since the U.S. “hanging chad” elections in 2000 has decried the use of voting machines, and, more recently, online voting. Voting machines are regularly compromised, are not auditable by design (they have proprietary source code), and are prone to failure when needed most. Computer security lecturers delight their audiences with tales of voting machine touch screens that dodge the target when the “wrong” vote is selected, or that play marching band music after they’ve been compromised by a prankish hacker.

“Voting is very much different from buying a product from an online store. If the wrong product is delivered, the store will ship the right product the next day to ensure customer satisfaction. But if the wrong candidate is elected, there is no recourse the next day. It is unlikely that fraud will be detected until the voting machines are audited many weeks after the election, and even when fraud is detected the outcome will be hotly contested by the affected candidates. In fact, if voting machines don’t use publicly published open source code then it is likely election outcomes will be hotly contested because proving that no fraud was committed is impossible.
Bob Jonkman working in the WRGreens office
“However, vote tabulation by machine is perfectly acceptable, although there must be a requirement that vote tabulators are also audited and their source code is made public. Ballots designed for vote tabulators (optical mark cards) can always be counted manually if the electronic tabulation is in dispute.”

— Bob Jonkman:  Electoral Reform — My Submission to the #ERRE Committee

Here’s hoping the #ERRE Committee puts Online Voting aside until it might be accomplished securely.

One thought on “Why Online Voting is a Bad Idea for #ERRE

  1. Yeah agreed. I ran a slightly different argument in my submission:

    “When votes are collected electronically, only one sufficiently talented bad actor is required to rig an election. If no-one with the necessary hacking skills has political motivation to hack the election, then there is a large pool of wealthy individuals (or perhaps even foreign governments) who would be willing to pay someone to rig the election outcome. Consider how many large political donations are made; then consider how large donations might be if they actually determined the result of a federal election.”

    “Information security is a losing battle. For example, some malware was recently discovered that was active for at least 5 years on “air-gapped” machines – computers whose security was so important that they were never connected to the internet. The estimated cost to perform this attack, which has at least 50 different capabilities and dozens of separate targets, was “millions of dollars”.”

    The rest is at http://www.parl.gc.ca/Content/HOC/Committee/421/ERRE/Brief/BR8465000/br-external/LawrenceFelix-e.pdf

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s