In this electronic age, many governments are trying to increase their capacity to use information and communication technology, and many citizens expect to deal with their governments electronically. It is natural that attention has turned to using these technologies for voting.
In the United States, in the wake of the problems with old-fashioned voting systems in the 2000 presidential election, many people have been tempted to push voting into the computer age. Congress voted large sums to help states do just this.
However, in its year-end review of 2003, Fortune magazine called electronic voting the “worst technology of the year”. A number of problems have been exposed in many states over the years with different systems. To analyse them properly and to account for their legal implications, one should start by sorting out the technology. This note will talk about two uses:
i) electronic voting in person, through voting machines – e.g. touch-screen voting
ii) electronic voting from remote locations, through the Internet or kiosks,
and then look at the differences between online voting and online banking.
In-Person Electronic Voting
A number of systems are available to let voters express their preferences by electronic means at the polling station. Many of them are touch-screen devices that are intended to eliminate problems such as mismarked ballots, hanging chads, and other ambiguous or invalid results. The results, of course, also are very quickly counted, so the outcome of the election is known sooner.
These systems do not present authentication questions – voters identify themselves in the usual way when they come to the polling station to vote. The criticisms of e-voting technology have focused on how one knows what votes are being recorded in response to the touching of the screen or pressing of the buttons. Is the software reliable, and who can tell? It is often secret or alleged to be proprietary. To what extent is one at the mercy of the technicians of the companies that provide the technology, and can we trust them? In the United States before the 2004 election, one e-voting company had a convicted felon in a senior management position, and a CEO who vowed to re-elect President Bush. Its technicians also admitted to changing the program being run in an election, to “patch” difficulties after it had been certified by the state. These unapproved changes were revealed only by happenstance.
In Florida in early 2004, a county election machine failed to count 124 votes, i.e. there was evidence that there were that many more voters than votes counted. Yet the election was decided by 12 votes. In another vote, in California, the machine reported a number of votes far in excess of the number of registered votes in the county. And how can one be sure that the numbers are right even when they are within the “expected” numbers, i.e. when they do not have obvious problems as in these examples?
In India earlier this year, researchers found gaping holes in electronic voting machines that the Indian Electoral Commission had last year declared to be perfect and infallible. (One of the lead researchers who demonstrated the flaw was arrested. then released a week later. The people who create these systems sometimes have a lot invested in them, economically or politically.)
Last year Ireland gave up on e-voting, despite a very large investment in it.
What should the law say about such situations? Does using machines with such vulnerabilities violate constitutional or statutory rights to vote? What is the legal value of public confidence?
The difficulty of auditing the results is problematic. If the software does not produce an accurate result, one cannot just run it again to get a better outcome. Many experts advocate having the machines create a paper trail that the voter can see at the time of voting, which would be available to check afterwards (a “voter verified audit trail”.)
The amendments to the Election Act in Ontario in 2010 that discussed (optional — at the option of the Chief Electoral Officer) “accessible voting methods” required, among other things, that
[t]he equipment must create a paper ballot that records the vote cast, is retained in the same way as ordinary ballots and shows the name of the electoral district, the date of polling and the name of the printer.
Paragraphs 8 and 9 go on to require that the machine must allow the voter to verify that his or her choices are reflected on the ballot both before and after the ballot is printed. Further, if the tests run before and after the voting period produce inconsistent results, the Chief Electoral Officer can require that a recount by done manually. (s. 44.1(8)) (The provisions also create a strong duty to ensure that such machines are accessible to people with disabilities.)
Finally, if the machines just stop working, are people denied their right to vote? What alternatives are available? Must every polling station with a machine also have the appropriate number of paper ballots? The City of Toronto system uses voter-marked paper ballots that are then counted electronically. That may be the best of both systems – unless you can’t read, or write, perhaps.
Remote Electronic Voting (Internet Voting)
Remote voting combines the challenges of determining entitlement to vote with those of determining the accuracy of the vote recorded. Other issues arise as to the anonymity of the ballot and its secrecy. Two brief examples of such issues follow.
In October 2010, the District of Columbia proposed to allow military personnel and other absentees to vote online. It opened its system to security testing, and one well-known expert hacked into and took over the system in about 36 hours. The researchers expressed the view that no system can yet be made sufficiently secure to be used for this purpose.
In Canada in February 2004, Delvinia Interactive Inc,, a consulting firm, published a report [PDF] on voter experience with the Markham, Ontario, Internet voting initiative in the advance polls of the municipal election of November 2003. Delvinia reported that the Internet voting system had been quite popular. It noted that only 9% of the voters who had voted in person had not used the Internet voting system because of concerns about its security. It concluded that people were not worried about the security of the system.”Voter authenticity and security are not significant concerns”. (Report on 2003 election, page iii)
Some commentators have read that report to say that there are no security issues in Internet voting. This conclusion was not justified on the face of the documents. The report on the 2003 process did not analyse the strengths or vulnerabilities of the system. It did not even describe how the system worked, technically. The report on the 2006 Markham election did report on security measures used, compared online voting to mail-in voting, and generally likened online voting to other online transactions. It referred to a security study evaluating 45 risks on different scales of risk-averseness, though that study does not appear to be online. It concluded that the benefits of the system outweighed the risks.(page 15) “It is simply impractical to resist the idea of Internet voting as a component of the total voter experience.” (page 16)
Both reports stressed voter satisfaction with the online “experience”. Whether the average voter was concerned about security is not, however, evidence whether the system was in fact secure. The municipality is offering Internet voting again again this month, supported by a social media awareness campaign that presents far fewer risks than the voting itself.
Perhaps the stakes in the election make a difference to one’s assessment of the risk, as well. Advance voting in a municipal election may be less of a risk than election-day voting in a provincial or federal election. On the other hand, if all the municipalities of the province are voting online, is the risk still manageable?
Some experts have proposed security designs that they say can resolve the issues in Internet voting. At present there seem to be no systems that combine the features said to be necessary. For a collection of good readable facts and arguments, search for e-voting on Bruce Schneier’s site or the Princeton computer security site. For more advocacy, there are the Black Box Voting sites. An active Canadian advocacy site, PaperVoteCanada, is here. Elections Canada has a number of studies and a bibliography.
The question for technology lawyers is the degree to which the law either requires or should require these features before Internet voting is permitted. (Constitutional law is not getting easier.)
E-Voting versus E-Banking
Some popular commentators say that if we can do online banking, we should be able to do online voting. Here is a brief comparison of the two processes. A number of arguments suggest that Internet voting presents more significant risks than does Internet banking.
- What if the system is down?
- With banks, it doesn’t matter – customer can try again later
- With elections, it does matter – polls have to close
- What if the system is not secure?
- For banking – the risk is the client’s (probably by contract), though banks may not insist on the contractual allocation of risk in many cases. The question turns on the burden of proof of malfunction or proper function, and of the comparative fault of the parties.
- For elections – the risk is the political system’s, involving the credibility, legitimacy of the election of the people declared elected.
- It is easier to create mass distortion by corrupting very few technical support workers, compared to how many people one would have to corrupt to distort a paper-based election.
- Voting security systems are difficult. Some criteria suggested by experts are not featured in any currently available system, and hacking techniques evolve often a step ahead of security measures.
- A lot of computer security experts do not think any current offering of Internet voting is sufficiently secure – and many do not trust most implementations of electronic voting, even when the voter comes to a polling station to vote.
- Problem of proof of loss
- If someone alleges they’ve tampered with a bank, one can prove or disprove it independently, by counting the money
- If someone alleges they’ve tampered with the electoral system, there is no “normal” or “before” state that can be checked to prove or disprove the claim (though the system could count numbers of votes cast from particular machines – but probably not who they were cast for, if the number of total votes is right).
- Problem of restoring proper state
- If someone has tampered with bank records (or the system malfunctions), the participants can restore balance by transferring money to where it belongs. The legal system allocates loss according to negligence, or by statute, among innocent parties if the rogue can’t be found.
- If someone has tampered with the election results (or the system malfunctions), it is very difficult to restore normality without running the election again, even if one can find the rogue. The rogue is never able to restore things to where they should be.
- Problem of individual identification
- Bank identifies customers and links them with transaction, so there is an end-to-end security system
- Voting system wants to identify voters but not link them with transaction (the vote), so there is a break in the end-to-end identification.
- Problem of allocation of risk if something goes wrong
- With banks, the risk is the client’s, by contract: only two private interests are affected
- With elections, the risk is the system’s. The credibility and legitimacy of government suffers
- Problem of secret ballot (not present with banks)
- Anyone can see what the person is doing if they are in the room with the person and the computer. So there can be domestic or neighbourly pressure on the vote, rather than a vote in private, free of pressure.
- Problem of bought vote (not present with banks)
- Buyer of votes can’t be sure that the vote will stay bought, with a ballot cast in private. With a computer vote, the buyer can watch the vote, or buy the PIN or other security code or device and cast the vote personally.
- General trust issue
- How does person voting know that what he or she selects on the home computer is the choice that the counting computer registers?
- Banks can create a paper receipt (as can in-person voting machines) and receipt can be compared to electronic statement of balance.
- Remote voting does not create an obviously reliable paper trail and individual votes cannot be traced through the system.
- Scrutineers will seldom have the expertise to check the software and hardware before, during, and after the vote.
- Testing the system by re-running it does not cure system problems: it just repeats them.
- Testing the system by random sampling of votes cast, via a paper trail, is inadequate in a close election, because samples may not reflect the full population of votes. (Consider opinion polls, many of which are accurate, say, within 2%, 95% of the time. Many races are closer than that in a typical election.) The votes of people who show up in person may not favour the same candidates as those of people who choose to vote remotely.
In short, there are important differences between resolving bilateral private risks and resolving large-scale (system-wide) political risks
The law requires fair voting systems, and lawyers and record management experts can add value to the discussion of whether and how to bring elections into the electronic era. In the meantime, provinces and municipalities should not rush to adopt electronic and a fortiori Internet voting. Some jurisdictions may more ready than others. Public confidence in the system must be maintained through the transition – or at least not be further undermined.