ITP Techblog

Brought to you by IT Professionals NZ
Menu
« Back to Home

Do IT Professionals support online voting?

Paul Matthews, IITP Chief Executive. 30 September 2015, 12:50 pm
Do IT Professionals support online voting?

As most will be aware, it's highly likely that a trial of online voting will take place in New Zealand at next year's local body elections. This will see online voting as an option alongside postal voting in participating regions.

Views on the technical viability of online voting vary and opinion certainly appears divided at times. While there are vocal opponents and proponents for online voting, what do the majority of IT professionals think? We thought we'd find out, and the results might surprise you.

 

Poll of IT Professionals

While IITP has been broadly supportive of a trial of online voting at local body level up until now, we needed to ensure that this was still the general view of our membership, especially given the level of debate in recent weeks.

As we have done with other contentious issues, IITP conducted a poll of IT Professionals looking for a strong indication of the tech sector's views on the upcoming online voting trial. With the largest membership of thousands of IT Professionals in the country, a poll of IITP's members provides a strong indication of the views of IT Professionals in New Zealand.

The poll received 425 responses, giving a margin of error of 5% at a 95% confidence level. While this is a strong indicator, it should be noted that the poll, while targeted, wasn't random; the result should be considered an indication rather than scientific conclusion. However the result is fairly conclusive.

 

IT Professionals overwhelmingly support online voting trial

We asked several related questions (see below), however the real clincher was a yes/no question asking:

Weighing up the benefits and risks, do you believe online voting should be trialled in local body elections in New Zealand?

The results were conclusive:

voting1.png

With 84.6% of IT Professionals polled supporting the trial of online voting in local body elections next year, we can conclude that the bulk of IT Professionals are in favour. With 86.7% also supporting IITP retaining its position "cautiously supporting" the trial, the Institute intends to continue to do so unless circumstances change.

This doesn't mean that the issues raised by the smaller group aren't valid - they are. Both central and local governments need to ensure that world-class security and other mechanisms are in place and no corners cut. The trial could still be a huge failure with just a single major security vulnerability uncovered.

 

Confidence in technical feasibility of online voting

There was a smaller, but still conclusive, group (73.7%) prepared to express confidence in the technical feasibility of online voting, with even fewer (39.7%) prepared to express strong confidence.

voting2.png voting3.png

There are a number of explanations for why a number that felt they couldn't express confidence believed we should continue anyway. A small re-poll of those folks found that many in that position didn't feel technically qualified to express support for it, but believed Government wouldn't be progressing without protections in place.

 

Some interesting demographics

It gets even more interesting when we start to break it down by demographics, such as age, location and gender. It's important to note that when we look at smaller groups within the results of any dataset the margin of error increases substantially, however these are still strongly indicative of perceptions in different groups.

Note we've been a little naughty and put the scale of these graphs from 60% to 100% (rather than 0% to 100%), so be aware that the differences will appear more visually pronounced.

Support by age

The different level of support for online voting by age is fascinating, and starts to paint an interesting inter-generational story.

92.1% of those under 35 supported online voting. Interestingly, many of the comments from this demographic were along the lines of "why don't we have this already?" and "just get on with it". It's fair to conclude that those under 35 in the tech sector - the demographic that online voting is most intended to engage with - want to vote online.

voting-age.png

Interestingly, the lowest level of support (while still high) was from those in the 45-54 age group (78.9%). It may be no coincidence that this age was the most disrupted by technology - i.e. lived through the early years of widespread computing as a kid, but aren't generally considered "digital natives". Or maybe it is. Either way, their support is high, but statistically significantly lower than other age groups.

Support by city

We don't hold address details for everyone who responded, so this is likely to be slightly skewed towards IITP members. However it still provides a good indication of sentiment between the larger cities and the regions:

voting-region.png

So fairly similar and not statistically significantly different levels of support between Auckland (87.2%), Wellington (85.7%) and the regions (85.5%), with a noticeable statistically significant drop in support from Christchurch (78.0%)

Support by closest IITP branch

Breaking down by branch is different than by city, as members identify with their "closest branch" and thus it includes those in larger cities as well as the smaller cities and towns in each vicinity. This also includes those whose address we don't hold and thus don't appear in the City stats, as everyone has an identified closest branch, member or not:

voting-branch.png

Again we have to note a higher margin of error, however… Go Tauranga! 100% of respondents from Tauranga support the online voting trial, which is significant. Hamilton also had a very high level of support (85.4%), with the southern branches not as convinced - 81.0% in Dunedin and 78.4% in Christchurch. That's still strong support of course - 4 out of every 5 IT Professionals.

Support by Gender

This was an interesting result. One reviewer hypothesised that this was linked to the relatively fewer participating females in identifiable developer roles vs non-dev roles (see those demographics below) rather than a causative gender bias:

voting-gender.png

92.7% of females supported online voting, versus 83.6% of males.

Student vs Full Professional IITP Members

We looked at the difference between support from student members and full/professional members. IITP full members need to meet experience requirements, meaning this is really looking at students vs generally highly experienced IT professionals.

voting-members.png

While there was a difference in levels of support, a significant factor was the average age of each category. This difference is thus better explained by the difference in age (above), and when this factor is removed, there is no significant difference. 

Developers and security professionals

Lastly, we wanted to look at what developers and security professionals specifically thought, versus all IT Professionals. Note that we only retain this information for some members, so the numbers we could identify as developers and security professionals were relatively low (meaning a high margin of error).

voting-devs.png

Security professionals and devs were naturally significantly more conservative about online voting, however two out of three still supported progressing to a trial of online voting.

 

Online Voting at General Elections

And lastly, should online voting be extended to nationwide general elections, as per some other countries? A smaller, but still conclusive 74.9%, group of technologists believe so:

voting-generalelections.png

Judging by comments, it's likely that the reason for the drop is due to (1) the increased stakes for national elections, and (2) the lower equivalency of booth vs online (as opposed to booth vs postal) ballots.

 

Great comments from IT Professionals

We also gave all participants the opportunity to comment about any aspect of online voting. For or against, the quality of commentary was seriously impressive and showed that most respondents had given online voting considerable thought.

We've temporary removed the PDF containing the comments due to some being mistakenly left off. This will be available again soon.

One thing that the comments brought home to me was how thorough the Department of Internal Affairs, and the Online Voting Work Group, were in considering matters related to online voting. Almost every point raised was considered at one stage or another during the consideration process.

 

So why is there concern from some about online voting?

While the results show a strong level of support for online voting from the tech sector, some still obviously hold very legitimate concerns. These concerns shouldn't be discounted because of this overall result.

While online voting is used successfully in a number of jurisdictions around the world, there have been security-related incidents involving online voting systems in the past. Given the importance of voting to the democratic process, some IT Professionals (and others) are very concerned about the security, as well as the auditability, of votes cast online versus via paper.

Arguably the worst incident was the 2010 takedown of a Washington State voting trial system during a public mock election, prior to their full election. This wasn't technically a full online voting system, but rather a system that allowed votes in PDF documents to be uploaded. The system was developed by the Open Source Digital Voting Foundation (now OSET Foundation). As a result of the system's open source nature, a group from the University of Michigan analysed the code and managed to completely take over the voting server.

Interestingly, some online voting experts now recommend against open source for online voting systems as a result of this takedown. We think they're missing the point - if vulnerabilities exist in the software, it's better for it to be open to all eyes and thus them become aware of vulnerabilities than not - especially given a core component of democracy is at stake.

However despite these issues, Washington State provides online voting today for overseas or military voters, the initial target groups, along the lines of their failed 2010 trial. Presumably with better security standards in place.

A more recent example was a security certificate being found to have not been updated in a server associated with the New South Wales online elections in Australia this year. Despite some media reports and activist claims to the contrary, it wasn't their vote collection server and no votes were compromised or exposed.

NSW have been successfully running online voting since 2011, when five times the expected number utilized online voting and 96% of participating voters were either satisfied or very satisfied with the iVote system.

Some other potential vulnerabilities, such as one identified in Estonia (which has been running online voting for many years), are only theoretical in nature. In that case, activist researchers concluded that theoretically it would be possible to repeat-vote for someone if you could use conventional means to hack and take over their individual machine, use a key-logger to log their election credentials when they voted, and re-log into the voting system on their computers, after they'd cast a vote, and cast another - but only if they'd left their ID card in their card reader.

There was no evidence this theoretical vulnerability was ever used, but it did cause some concern. However Estonia has continued to offer online voting and the percentage using it - and voting - has continued to increase while similar countries not offering online voting have seen a drop in participation in the voting process. Interestingly, by design this theoretical vulnerability couldn't be used in the NZ trial as New Zealand's voting credentials will be single-use.

Where there has been documented major concerns is with voting machines in polling booths, especially with the first generation of machines. However this is not what is being proposed in the Trial and is therefore out of scope for New Zealand at the moment.

However, regardless of the lack of evidence of widespread online voting fraud in actual elections, when it's related to democracy the stakes are still worryingly high. While New Zealand currently enjoys other critical services such as the Census and passport applications online, the fallout from someone hacking a voting system would be significant.

 

Some problems with New Zealand's online voting trial

Despite our support for the online voting trial, we do hold some concerns, including where the implementation appears to be deviating from the carefully considered recommendations of the Online Voting Working Group. 

The decision of central government to pass the entire cost onto the participating local bodies is disappointing and led to at least two councils choosing not to be involved. Implementing online voting is a nationally significant activity, and while we do have a structure in NZ where every single Council in the country runs their own elections, the benefits of implementing one hardened online voting system - paid for centrally - outweighs potentially many different systems around the country (and the increased attack vector that creates).

We're also not happy with DIA's decision to quietly drop the strongly recommended bug bounty requirement, possibly due to an ill-considered view that it might cause more people to try to break it. Fact is, people are going to try to break it. Far better that they're working for you when they do so. We'll be taking this up with both DIA and participating Councils.

And lastly, after carefully examining the evidence from overseas, the working group recommended no pre-registration (as it was seen in to be a barrier to participation). So in short, everyone would have a code on their voting papers they could then use to easily cast their vote online rather than posting it.

However it appears that Government has indirectly mandated pre-registration - those wanting to vote online must first request a separate code, which is then posted to them - increasing cost significantly, and creating an additional barrier to voting online (postal being 1-step, online now being 2-steps). It's likely that this decision will lead to a far lower takeup of online voting than would otherwise be the case for not much gain.

 

In summary

As one poll respondent noted, a debate on the security of online voting is both good and correct. Indeed. And in that vein, this week we've also asked two IITP members - one for online voting and one against - to summarise the arguments for and against. You can view these posts by Ian Apperley for, and Dave Lane against. NOTE: Neither of these viewpoints are wrong and regardless of your view, we ask for comments and debate to be respectful.

IITP will continue to cautiously support online voting in New Zealand, or in other words support progressing cautiously, however we'll also continue to support debate and discussion on the relative merits and technology issues. It's good to have confirmed that the vast majority of our members support this position.

And lastly, were these results a surprise to you? Feel very free to comment below and join the conversation.

Paul Matthews is CEO of the Institute of IT Professionals.


Comments

You must be logged in in order to post comments. Log In

Ian Apperley 30 September 2015, 1:52 pm

I must say, I was quite surprised at the result. I, for whatever reason, thought that perhaps I was in the minority. Very interesting demographic information as well.

Jan Wijninckx 30 September 2015, 1:55 pm

This is very good analysis work. Thank you so much for publishing this thorough, very readable and insightful article.

How interesting the stats on 45-54. I would vote for strong support by the IITP, block-chain is how we can make it secure, and it should not be limited to one company but be open source and anyone can run an election campaign, with an open block-chain interface.

Mark Goldie 30 September 2015, 2:09 pm

it seems likely for central government that it would leverage DIA's RealMe for identification. Though Jan's idea for a modified block chain would be ideal for a single-use vote, but thats technology.

from a conceptual curiosity, I'd be very interested to see how its shaped, and the process around it.

Good article :-)

Dominic Baron 30 September 2015, 2:16 pm

I am immensely pleased by the result. The time is coming to push for a 21st century constitution like the Swiss one instead of trifling with cosmetics like flags and heads of state. Then all Citizens' Initiatives and resultant referendums and elections, local and national, can be run online with immediate decisions.

Ron Segal 30 September 2015, 2:35 pm

Firstly a big thanks Paul, to you and your team, who obviously put-in a lot of effort to conduct and bring us the survey results, which, by the way, really aren't a surprise.

Interestingly it appears that most of the reported security vulnerabilities with on-line voting systems (including the fairly scathing security audit of the Estonian system), are fairly generic, where accepted good practice hasn't been followed. This is one of the reasons why a single 'hardened' system has to be the way to go, or rather a very short list (possibly of one) of 'hardened' e-voting 'authorities'. This is on the basis that it isn't just the technical system, but the entire operation that needs to be 'hardened'. Having helped manage a commercial digital certificate authority in NZ, the security culture required is very different from that of a typical business.

Separate pre-registration certainly seems like an unnecessary hurdle and expense. Authentication strength of Real-me logon might be stepped-up for e-voting by e.g. introducing additional, randomised security questions.

Noel Reid 30 September 2015, 3:15 pm

I agree with Dominic, and support Ron's thanks to Paul and his team.

I was not aware that NSW has been "doing it" successfully for so long now.

My only suggestion would be to bring in our experiences [good and/or bad] with eCensus as well.

For perhaps the first time ever, I'm pleased I'm in the 55+ category!!

David Lane 30 September 2015, 5:01 pm

Thanks Paul, for running the poll. The most striking thing to me from the result is how poorly informed many of the voters in this poll were... the frequently cited (but flawed) equivalences with online banking and eCensus were very disappointing to see. I think very few people actually understand what the "secret ballot" actually means, and its implications for designing a technical solution. Sure, for the average citizen voting, it's not crucial that they understand what "secret ballot" means (they'll still benefit from it, regardless), but for people potentially designing the online voting system, understanding this stuff is paramount.

Paul Matthews 01 October 2015, 11:25 am

Hi David,

Either that, or they hold a different view to you as to the extent the concerns you have raised can be mitigated.

Many of the concerns you have raised in different forums exist with the voting system that online voting should be compared against (in this case), being postal voting counted by machine. I appreciate you have strong views opposed to postal voting as well, which is fine. However like it or not, that is what equivalency is measured against in this case.

While levels of understanding will naturally differ across any population, personally I think concluding that the vast majority of IT professionals in New Zealand are "uninformed", because they hold a different view as to the relative importance, acceptable level of risk and mitigation, and cost/benefit in what's being proposed, is not the conclusion I would necessarily draw.

However either way, it's good for the profession to be having this debate. Thanks for taking an active part.

Grant McLean 01 October 2015, 8:59 am

Here's a thought experiment ...

Let's assume we've decided to press ahead with online voting. Then using a magical crystal ball we're able to look into the future and see that at the next election:

* the cost of running an election increased

* voter participation levels decreased

Should we carry on and do it anyway?

Mike Dennehy 01 October 2015, 11:49 am

Grant, I think that's the purpose of the trial approach. It's not possible to know whether there will be an impact either to cost or participation, without running an online voting program. Limiting it to a trial is an acceptable and proven method of reducing cost and risk.

Voter participation went down when local body elections switched to postal voting, but councils still carry on and do it anyway. Most evidence seems to point to an increase in voter participation when online voting is available, but we'll never know what will happen here unless we try it.

Grant McLean 01 October 2015, 12:25 pm

Why can't we know without running it? Why can't we look at the overseas experience where other people have tried it?

We know the cost will be higher, because both postal and online will be used - councils will have to fund both and will be keen to keep costs down. But also it's not uncommon for computer-based systems to cost more to run than the manual systems they (eventually) replace.

Most people assume that moving to online voting will increase voter participation but actual experience has shown that voter participation actually decreases. That doesn't mean that online voting causes the decrease - simply that it doesn't fix the problem.

It's depressing that we seem to setting ourselves up to make all the same mistakes that have been made overseas.

As IT professionals we should be taking a step back to remind ourselves what problems we're trying to solve and then determine whether technology can actually solve those problems and if so, at what costs.

Paul Matthews 01 October 2015, 12:40 pm

Hi Grant,

This is a good debate to have.

However just to note, online voting *has* increased voter participation in many jurisdictions (albeit not all), especially those that have been doing it a while. For example, West Virginia (58% participation to 76% participation), Estonia (47.4% to 64.2%), Canada remote states (23% to 35%), and New South Wales (where 10% of those now voting online say they wouldn't vote otherwise).

Where there has often been the biggest lift has been in younger voters, who often have the lowest participation rates. Logic would dictate that this would increase as more younger people became of voting age and online voting becomes more of an expectation, which is the pattern that is emerging from some jurisdictions.

Interestingly, the 55+ group is increasing at the greatest rate in some places (eg in Estonia), possibly partly due to mobility issues in later life.

However that's not the only rationale of course. Check out Page 10 of the DIA report for some other rationale: www.dia.govt.nz/vwluResourc... [PDF]

Again, a really good debate to have. Thanks for contributing.


Web Development by The Logic Studio