ITP Techblog

Brought to you by IT Professionals NZ
« Back to Home

Against online voting: Technologist prefers his voting analogue

Dave Lane, Guest Blogger. 30 September 2015, 12:43 pm
Against online voting: Technologist prefers his voting analogue

Dave Lane is an engineer, software developer and voter from Christchurch and a firm believer that online voting cannot be made secure enough to protect democracy. IITP asked Dave to outline why the online voting trial for online voting next year shouldn't proceed.

I am a technologist. Technology is my passion. My expertise with computer and online technology has fed me and my family for 20 years. I would dearly love to see technology applied more effectively in every aspect of our society's democratic process. Every aspect that is, besides the most fundamental mechanism of democracy: the secret ballot, our vote. That bit should remain analogue.

Reflecting on recent local government decisions on binding online voting pilots ("trials" from central government's perspective), I tweeted "Too few realise that being a technologist comes with an implicit responsibility: having ethics to admit when tech is not the right answer." It is probably my most re-tweeted and favourited tweet to date.

My stance on online voting has got me labelled a "Luddite" by at least one pundit. A bit ironic, but so be it. History offers many examples where technology being wielded by those without sufficient ethics has resulted in utter disaster.

Surprisingly, the director of ElectionNZ one of two small local companies wanting NZ to move to online voting, recently characterised both me and others recommending against online voting in NZ, and groups like Verified Voting abroad, as "activists incentivised to disrupt online voting". Verified Voting's board looks petty credible to me, and if they choose to be activist, I'd say it'd be worth paying attention... but you can decide for yourself.

I have experience building security-critical government websites, a role which has given me serious respect for the online threats about which most people know little. As a technologist, it has been my role to protect others from these threats to the extent possible... and I feel an ethical obligation to speak out when I see technology being inappropriately sold as a solution to voter engagement and participation which is fundamentally a societal "people" problem. Particularly because also opens the process up to a whole host of new liabilities.

Even where online voting has supposedly succeeded, places like Estonia and Switzerland, they are proceeding despite substantial concerns from both security experts and voters. In Estonia, for instance, although in theory everyone can vote online, at most only 30% have. That suggests 70% of voters don't trust the system.

Misplaced Faith

I had some involvement in the DIA's working group on online voting, and was pleased with most of the recommendations they offered. I did, however, note that only a few of those involved were experienced technologists, and got the impression that most of the others held an amazing faith in technologists: that there was no problem they couldn't solve.

The only thing more striking than this faith was the disdain with which technologists like me were regarded for suggesting that, unfortunately, we could not imagine a workable online voting solution.

Interestingly, a couple of us were told that the DIA received formal advice from "security experts", but our request to see that advice was formally denied. Does the report recommend against pursuing online voting? Guess we'll never know.

Dunning-Kruger Effect

Perhaps the world's most respected online security expert Bruce Schneier characterised online voting this way: "Building a secure Internet-based voting system is a very hard problem, harder than all the other computer security problems we've attempted and failed at. I believe that the risks to democracy are too great to attempt it."

In the face of a problem so difficult, it is unsurprising that skilled software developers, who are in high demand allowing them to be picky with the work they take on, are unlikely to even attempt a solution, especially given the overwhelming likelihood - and massive ramifications - of failure.

Unskilled developers, on the other hand, often have a high opinion of their abilities (the so-called "Dunning-Kruger Effect"), generally have more time, and some seem willing to have a crack at it. Overseas trials have shown that at least some of the online voting systems, which were publically acknowledged to be exploited by external parties (which is at least half them), suffered from absurdly bad software design and code quality.

In the proposed local government "trials" we already see substantial corners being cut, with regard to public consulation, independent audits, red team testing, and other DIA recommendations. I'd love to say "I'm confident we plucky kiwis can succeed at building a viable online voting system where so many others have failed". But I'd be lying.

Remember, all Internet-accessible software has remotely exploitable security vulnerabilities. All of it. That we're not aware of an exploit to an online voting system offers no certainty that it is uncompromised. A smart cracker will probe the system during a trial, find an exploit, and save it until a high-stakes election, and use it subtly, just enough to alter the result to suit the highest bidder... or to create the greatest havoc. Or maybe they'll anonymously DDOS it from overseas with a local botnet-for-hire, just for the LOLs.

I don't think online voting is worth the risk. One of the best things about paper ballots is that just about anyone in society can scrutinise the election. It's a simple concept. It's a fundamentally local concept - it cannot be exploited remotely, or at scale. Online voting creates a globally accessible "attack surface" and it shifts scrutineering into the realm of highly specialised IT consultants, of which there are precious few. I get very nervous, and even rather stroppy, whenever someone in power waves their hands and says "just trust us" about things like online voting systems or secretly negotiated international trade protection treaties.

Rather than online voting, our focus should be on a mixture of new and proven methods for improving voter engagement and participation. Most of those do not rely on technology. We should be building community: creating opportunties for people to get together locally, and talk to each other.

Disclaimer: I've been moved by my conscience to speak out against pilots of online voting in NZ. I am a concerned citizen who also happens to have sufficient specialist knowledged to offer an informed perspective. I have absolutely nothing to gain financially from doing so, other than the satisfaction of doing the right thing.

What does the IT Profession as a whole think? We asked them - results here.


You must be logged in in order to post comments. Log In

Jan Wijninckx 30 September 2015, 3:06 pm

Dave, good article. I respect your cautious approach, as indeed on-line security is a huge problem. Having said that, I am fervently in favor. Here is my counter argument:

1. The first George Bush the n-th elections we voted manually and completely rigged, by his bro Jeb and the other family arm Fox-"news" Nothing on-line there - paper based.

2. In many countries vote rigging is deemed such a problem that they need the UN to watch for irregularities. All paper based - all issues of rigging.

3. The current risk of vote rigging is very low and only with extreme technology savvy people who can crack and then change votes one by one and not even on a large scale.

4. on-line voting issues won't kill anyone, or steal their money, and can be audited afterwards just like any paper based system.

5. The real dangers are linking IDs to people so that voting is not anonymous.

6. All of this can be minimized to near naught through mechanisms like block-chains. Those are not tamper-able as a result of the block-chain design!

7. So the thing to watch out for is people being coerced into voting for something they don't understand, believe in, or selling their vote. But the issue is similar for blind people at the moment, as they have to trust that someone will tick the right box for them.

my 2c

Jan Wijninckx 30 September 2015, 3:07 pm

Point 3 I meant electronic vote rigging

David Lane 30 September 2015, 8:14 pm

Thanks Jan, for your thoughtful response.

Every democratic system must be built with the assumption that the current administration is corrupt and can't be trusted... I think NZ suffers from an excessive "trust" in the inherently benign nature of our gov't and politicians. As someone with experiences in other countries where that trust has been shattered (including the US example you cite (1.) with the "hanging chads"), I'm far less willing to trust the incumbent gov't. I also have a sense that democracy is a precious thing, and that trust in the system is not something to trifle with or take lightly (to be honest, I'm very dubious about the adoption of postal voting as well).

I'm afraid I strongly disagree with your likening online voting to paper ballots in 2. A corrupt gov't will never allow a valid vote regardless of the means of voting - but a corrupt government is no longer really a functional democracy anyway. I'd have much greater trust in the independence a large number of unspecialised scrutineers for a paper ballot than a very small number of very technically specialised people required scrutinse an online election.

You point, 3. that a) the risk of vote rigging is very low, and b) with extremely technology savvy peoplem and c) who can crack and then change votes one by one and not even on a large scale... How do you figure that a) is true? I don't think that's the case - the risk increases massively with online voting - it goes from being limited to people in NZ, to being open to everyone with an internet connection in the world. And your b): - much of the damage done on the net is by "script kiddies" who aren't especially savvy, but they can carry out a DDOS as well as anyone... and c) one of the greatest strengths of the paper ballot is the difficulty in *large scale* and indetectable fraud. With online, it means that fraud, at scale (i.e. *all the votes*) is possible, and it's likely that such fraud would be undetectable.

You say in 4. on-line voting "can be audited afterwards just like any paper based system"... er, no it can't be. That's another major point in favour of paper ballots. If a vote is change, e.g. by malware on a large number of voters' computers, prior to reaching the centralised voting system, what votes will you audit? How can you be sure you're auditing valid votes?

You say in 5. "The real dangers are linking IDs to people so that voting is not anonymous." Yes, that's one of the biggest dilemmas with online voting - making votes verifiable (i.e. that a given voter has voted, and only once) without *also* linking the vote to an individual, breaking the basic principle of "secret ballot". Yes, it's possible to work out the vote of an individual via the secret ballot in NZ, but it's very cumbersome and requires people get through a few trusted people. With online voting, it's possible that a breech will result in compromising that anonymity... possibly at a large scale (think Ashley Madison).

You mention "block-chains" in 6. Well, that's a possible approach, although there're precious few people who really understand block-chains and the related algorithms, making trusted scrutineers hard to come by. While a future online voting solution might well involve block-chains to develop trust, their use in an election is almost inconceivable given that the main security risk is the person voting... and their personal devices.

You say, quite rightly voice concern in 7. about "people being coerced into voting for something they don't understand, believe in, or selling their vote". Then you bring up the issue of people with vision impairment or other disabilities which you say currently means they have to trust a "proxy" to vote for them. Actually, that's not true. At present, in NZ, people can choose to use a phone-based voting method which works - without a proxy - for those with many sorts of disabilities and is far more secure than online voting by design.

Web Development by The Logic Studio