Questions to ask about Internet Voting Richard Akerman July 2016

2

The Source Code of Democracy Voting Procedure Delivery of ballot to elector 150 (1) Every elector who is admitted to vote shall be given a ballot by the deputy returning officer. Instructions to elector on receiving ballot (2) The deputy returning officer shall explain to each elector how to indicate his or her choice and fold the ballot so that its serial number and the initials of the deputy returning officer are visible and shall direct the elector to return the marked and folded ballot. Manner of voting 151 (1) An elector shall, after receiving a ballot, (a) proceed directly to the voting compartment; (b) mark the ballot with a cross or other mark in the circular space opposite the name of the candidate of his or her choice; (c) fold the ballot as instructed by the deputy returning officer; and (d) return the ballot to the deputy returning officer. 3

Pull Request 4 http://www.parl.gc.ca/ERRE-e

The County Election, 1846 5 https://commons.wikimedia.org/wiki/File:The_County_Election,_Bingham,_1846.jpg Public domain

The Hustings, 1828 6 https://twitter.com/ElectionsCan_E/status/751101013084479489

Voting • Has been designed • Design can be examined in terms of risk • Design can be examined in terms of entire system 7

Does the design limit voter coercion? 8

Low Medium High Zero 9

Coercion Risk Analysis • Voting takes place in a public area (with observers) • Marking the ballot takes place in private, alone • Once the ballot is in the ballot box, it is “detached” from the identity of the voter – no one including the voter can prove how they voted 10

11 Can the voting process be understood and examined?

Public Understanding • “all essential steps of an election are subject to the possibility of public scrutiny unless other constitutional interests justify an exception” • The Constitutionality of Electronic Voting in Germany 12 https://commons.wikimedia.org/wiki/File:Ibm_pc_5150.jpg by Ruben de Rijcke CC BY-SA

Some numbers • 1995 - 50.58% to 49.42% • May 2016 - 50.3% to 49.7% • June 2016 – 51.9% to 48.1% • List of close election results 13

14 Is the entire system secure?

New Bug 15 http://xkcd.com/1700/ CC-BY-NC

16 Copyright © 2014 Richard Akerman https://www.flickr.com/photos/rakerman/14551345714/ Licensed in the Creative Commons CC-BY

17 https://commons.wikimedia.org/wiki/File:Walls_of_Constantinople.JPG CC BY-SA

18 https://commons.wikimedia.org/wiki/File:Dardanelles_Gun_Turkish_Bronze_15c.png Public domain

In the digital world • Copyable expertise • Scale • Distance – which means you may be facing other nations • Detectability 19 Computers can lie

Volkswagen 20 In a world where more and more objects are run by software, we need to have better ways to catch such cheaters. As the Volkswagen case demonstrates, a smart object can lie and cheat. It can tell when it’s being tested, and it can beat the test. New York Times – Volkswagen and the Era of Cheating Software by Zaynep Tufekci, September 23, 2015 https://commons.wikimedia.org/wiki/File:VW_Golf_TDI_Clean_Diesel_WAS_2010_8983.JPG by Mariordo Mario Roberto Duran Ortiz CC BY-SA

The Problem with Eve Eve Alice Bob 21 client server malware

Code Quality 2 22 http://xkcd.com/1695/ CC-BY-NC

High risk • “We believe that online voting, especially online voting in large scale, introduces great risk into the election system by threatening voters’ expectations of confidentiality, accountability and security of their votes and provides an avenue for malicious actors to manipulate the voting results.” – May 2016 • Neil Jenkins, Senior Advisor for Cybersecurity Capabilities and Strategy at the US Department of Homeland Security 23

Recommendations from computer scientists 24 • To protect the accuracy and impartiality of the electoral process, US ACM makes the following recommendations: – All voting systems -- particularly computer-based electronic voting systems -- embody careful engineering, strong safeguards, and rigorous testing in both their design and operation; and, – Voting systems should also enable each voter to inspect a physical (e.g., paper) record to verify that his or her vote has been accurately cast and to serve as an independent check on the result produced and stored by the system. Making those records permanent (i.e., not based solely in computer memory) provides a means by which an accurate recount may be conducted.

An Advanced Canadian System • “We need to be more bold and confident.” – David Lennie, SVP, Data & Analytics • Massively distributed (over 65,000 nodes), fast (parallelized) and verifiable counting, high resiliency, high integrity, no maintenance, pop-up democracy at scale • Better than US • Better than UK • Better than Australia 25

Learn More 26 https://www.coursera.org/learn/digital-democracy

Get Involved • Submit a brief to the Parliamentary Committee – one brief can be submitted per person; – the deadline for the submission of briefs is 11:59 p.m. (EST) on Friday, October 7, 2016; – Briefs may be sent to the Committee by email ERRE@parl.gc.ca • http://papervotecanada.blogspot.ca/2016/06 /how-to-participate-in-erre-special.html 27

Questions • Does the design limit voter coercion? • Can the voting process be understood and examined? • Is the entire system secure? 28

Richard Akerman papervotecanada@gmail.com @papervote http://blog.papervotecanada.ca/ Disclaimer: Personal opinions only. Copyright © 2016 Richard Akerman, licensed in the Creative Commons Attribution-Noncommercial 2.0 Canada

Annex Videos • Tom Scott (8 minutes) • Andrew Appel (21 minutes) • J. Alex Halderman (1 hour 13 minutes) Reports • BC Independent Panel on Internet Voting • Assessment of Electronic Voting Options – Australian Parliament • Independent Report on E-voting in Estonia 30