Online Voting in New Zealand Today
You may not be aware of it, but Online Voting is already part of our election system.
In the 2014 national elections, overseas voters had the ability to submit their vote via a website. I’m unclear on the specific details of this, but as I understand it, you could download your voting paper, print it and fill it out, scan it and upload it to the website. A witness may have been needed as well. On the website end, voting papers were apparently encrypted as part of the upload process, and a very restricted number of Electoral Commission staff had access to the key to decrypt the voting papers in a secure area.
There were 22,333 votes cast this way, out of a total of 2,416,379 votes — so nearly 1% of the votes in the election were cast using this system.
How do we know that these votes were not subject to any malicious interference?
In the context of the 2014 election — in which the result was convincing, and no electorate result was very tight — it might seem like it doesn’t matter. It’s not going to change the result, right? Except it does matter, if the “success” of this system is used to justify expanding online voting in future elections. We have a right to know — was it secure? Were there any problems? How much can we trust it?
As a starting point, I am interested in these particular questions:
(a) Could any votes have been interfered with (changed) as U Michigan achieved? Instead of being changed to votes for the robot Bender, could any have been changed from National to Green, or from Labour to Maori Party, or indeed any other change?
(b) What penetration attempts were recorded? What do the logs show? From what countries were attempts made? How many and over what timeframe? What was done in response?
(c) What if any changes to software were made during the voting period? What change management was there of source code? What guarantees were there that the machine code compiled from the source code was 100% accurate?
(d) What evidence is there that nobody was coerced into voting a particular way?
(e) Votes were obviously received by a computer connected to the internet. For how long were votes held on a connected-machine? Were votes stored in a database at all and if so for how long? Was such a database on an internet-connected computer?
(f) What would prevent identification of the voter and who they voted for?
(g) Has the system for uploading votes online been subject to a security review by competent professionals?
(h) Has the system for submitting votes online been subject to any white-hat penetration testing by competent professionals? What were the findings?
(i) Was the code running on the servers during the election period the exact code that had been subject to a security review? What guarantees are there that the code was not changed during the election period without a security review?
(j) What precautions have been taken against voting papers being maliciously changed by a system that a voter was using to upload them? For example, if a computer in an internet cafe was used to upload the voting papers, what assurances are there that the voting paper was not maliciously altered by malware on that computer just before the voter submitted the paper to the online voting website?
(k) What opportunities do scrutineers appointed by candidates and parties have to scrutinise the votes submitted through the online system?
(l) What opportunities do scrutineers have to scrutinise the system itself? Was there access to source code, system documentation, demo systems, and other pertinent information?
If you’re unfamiliar with technology, the questions above will probably have your eyes watering. In my view, that’s one of the warning signs that online voting makes our elections vulnerable to a loss of trust of the result.
Consider the current, paper-based system. There’s a lot of labour involved, but it’s very simple to understand. People turn up to polling places. They’re crossed off the roll and given a voting paper. They go to a booth and vote in secret. They then deposit their voting paper into a box. The whole process is watched by scrutineers, nominated by candidates, who are checking that no cheating is occurring. Scrutineers are also present for the early count of advance votes, the scrutiny of the rolls, the official count, and any judicial recounts.
It’s manual and slow (compared to the internet), but it’s also very simple. Do you have eyes? Can you watch people following a simple process? Do you think you could spot people hovering behind other people at the booths? On the flip side, if you wanted to cheat the system, how much do you think you could get away with, without being spotted?
Now consider the online system. Once it opens, voting papers begin to flow in from around the world. But we know less about them. Was the voter coerced into ticking boxes they didn’t want to tick? Was the scanned image manipulated by malware before being uploaded? Was it copied by the NSA dragnet surveillance and tallied against the person’s file? All of this before the file even gets to the servers.
And once the file gets there, is there any chance it could be manipulated by an insider? They say the files were encrypted, but how good is the encryption? Where does encryption happen? If an insider discovered the key, how easy would it be for them to read everyone’s vote — or change them?
Having eyes isn’t enough any more. You need years of experience in a particular subdomain of Information Technology to even have a shot of asking the right questions, let alone understanding the answers. One critical benefit of the paper-based system — its ability to be scrutinised by most of the citizenry — has been lost.
It is entirely possible that those involved were very smart in how this system was constructed. People much smarter than us may have anticipated all of the above problems, and devised clever solutions. Of course, you might need a decade of experience in infosec to actually understand the solutions, but let’s just pretend for a moment that they Got Things Right. What have we gained in return?
The obvious benefit is that it was clearly the easiest way to vote for thousands of people (assuming it wasn’t used en masse by overseas voters as a second choice because their first choice wasn’t available). Given what a pain it can be to find a working scanner, this is something of an achievement.
Perhaps everyone just took photos of their voting paper with their phones to scan their votes in — something that is deeply frowned upon in voting booths in New Zealand, by the way. Which points to an interesting question — how many people took a photo of their ballot to scan it in, and had iCloud automatically upload it, to be displayed on their Apple TV as a screensaver later?
The point is, we are asking people to make electronic copies of their votes. This will surely lead to side-effects that people may not appreciate. Is an overseas voter who accidentally uploads their ballot to Twitter because of some auto-sharing program, breaking the law? Do the GCSB have a handy record of everyone’s voting preferences now? Did anyone have their vote revealed unintentionally to a judgemental or abusive partner or family member?
The big issue I wonder about is the purpose of this system. Did it enable people to cast a vote who otherwise couldn’t? Or did people merely find it more convenient? And could we have enabled those voters to vote in a way that doesn’t run the risks that online voting poses?