Until recently, a government working group and several local councils had been (fairly quietly) contemplating a live trial of online voting at the 2016 local body elections. Aside from a few articles in the ODT back in 2013, there had been little coverage of this.
Dunedin City Council's meeting was today, and over the weekend I had the opportunity to talk to Chris Morris of the ODT and share some concerns about what online voting might mean. I spoke in the public forum at the meeting, and was really happy with the engaged and informed questions that the councillors asked.
Sadly I don't have the questions asked in reply, but here's my submission to the council from today -
Mayor Cull, Councillors.
Thankyou for the opportunity to speak today. I want to applaud your motivations in contemplating online voting. I believe that you seek to improve representation by increasing access and engagement. I wish that online voting would address those issues, but I am here today because the internet is not a secure environment for democracy.
I'm an IT developer with clients in many countries, all of whom demand security for their data. Our work has been subjected to penetration testing and to active attacks on the internet, and I'm familiar with the issues involved in securing systems online from the different methods of interference that can be attempted.
I'm concerned about a move to online voting because I feel the significant risks involved are being underplayed, and because many of the benefits cited do not hold up to investigation.
Security researchers and experts generally agree that online voting has substantial risks of vulnerability. A secret ballot poses an especially hard problem for securing when there is no physical evidence of the actual votes placed. There are multiple opportunities for attackers, and little scope for remedy or recourse if the electoral process is abused.
A group of American researchers describe their investigation of a 2010 online voting trial as follows: "Within 48 hours of the system going live, we had gained near- complete control of the election server. We successfully changed every vote and revealed almost every secret ballot. Election officials did not detect our intrusion for nearly two business days—and might have remained unaware for far longer had we not deliberately left a prominent clue." (Halderman et al. "Attacking the Washington, D.C. Internet Voting System" Proc. 16th Conference on Financial Cryptography & Data Security, Feb. 2012)
Security expert Bruce Schneier summed up the state of his field in 2001. "Building a secure Internet-based voting system is a very hard problem, harder than all the other computer security problems we've attempted and failed at. I believe that the risks to democracy are too great to attempt it." (Bruce Schneier, Crypto-gram newsletter, 15 Feb 2001)
Online voting depends on the security not only of the systems running the voting process, but also the systems used to vote - and the majority of those systems, home and work PCs and mobile devices in the community are vulnerable to multiple software vulnerabilities.
Users of computers fall prey to online deception frequently; a year ago, large numbers of users being tricked into opening a malicious attachment triggered a nationwide outage for Spark, our largest internet provider. (NZ Herald: Spark users experience internet meltdown).
With online voting, individual users will be susceptible to a targetted attack, especially when a large number of internet users are attempting an unfamiliar task together. An attacker can falsify apparent voting environments and put those in front of voters, hijacking credentials and then re-using them to make the attackers vote selections on the live system.
Attackers would have multiple ways to interfere with online voting - preventing votes, falsifying votes, destroying vote records, or denying access to voting systems. All of these techniques could be used to affect the outcome of an election in various ways.
Securing and assuring a secret ballot in a digital environment is a particularly hard issue, and one which many nations and larger organisations than ours have attempted to address and walked away from. Australia experienced a significant security issue; in France faked votes were demonstrated; the Netherlands banned online voting outright as a result; Norway abandoned their attempt; Portugal, Spain and the UK all discontinued their efforts. Washington DC's trial - an actual trial, not a live test - was hacked within 48 hours. Most security experts agree that this is no easy task, and I see risks but little advantage for us in breaking new ground here.
Proponents of online voting claim it may increase engagement - but experience has not shown this is a result to expect. When surveyed about reasons for not voting in recent general elections, NZ voters primary reason was "didn't get around to it, not interested or forgot", and disengagement was the underlying cause for 40% of non-voters. (Stats NZ: Non-voters in 2008 and 2011 General Elections)
Engagement, not access, is the primary issue for voter turnout. If the council seeks to improve vote turnout, then that is where I believe the council should direct this funding. Again, I do applaud the DCC's interest in increasing engagement from citizens and in considering this approach.
$165,000 to be part of a test with actual council elections is a significant investment, but online voting will carry a much higher pricetag for full implementation.
My recommendation is that Dunedin not proceed with the proposed online voting pilot.
Thanks for your attention.
Beau Murrah and Stu Fleming also spoke against online voting, and representatives from the NZ Blind Foundation (I think Diane, and another man whose name I forgot) spoke in favour of it on the grounds of how it enables more full representation of all voters. Councillor Wilson identified, I think correctly, that "accessible voting" and "online voting" are separate decisions, but I do appreciate that having had a taste of accessible voting online, the appeal would be great. I hope we'll see solutions here which don't require the risks of OV.
The meeting decision was that Dunedin decided to not continue with the trial, which was the outcome I hoped for. Councillors discussed it in depth and I was glad after following the discussions in other cities to observe that many councillors understood the concerns that informed experts share about moving democratic process online. I was concerned to hear a few flag that cost rather than security was a primary motivator, but learned that in our democratic system, it comes down to how people vote - not why they vote!
There was some media coverage, but the best moment of my day was getting an unexpected text from my Dad, probably having heard my comments on the radio, saying that he couldn't agree with me more. That felt great!
I'm really happy to have taken this first step in engaging with local council - not something I'd aspired to, but it was inspiring and empowering to have an opportunity to be heard by the council members, and to see that they followed what I was saying. And I think that the outcome was a very positive thing for most Dunedin citizens.
Some related coverage -
- ODT: Fears for online voting security - Chris Morris. After the last interview a few weeks ago, I managed my habit of double-negative kiwi-isms ("not such a stupid idea" => "a good idea"). Great!
- National Radio NZ: Dunedin Council pulls out of online voting trial - Ian Telfer, on Jim Mora's Afternoons show. (Six jurisdictions abandoned the process, but only one banned it.)
- Channel 9: DCC will not take part in nationwide online voting trial; bonus points for using "for the LOLz" in a TV interview!
- ODT: Council says no to online voting trial - Craig Borley
- DCC should put the council meeting on their YouTube eventually, should you want to watch the whole thing.