Statement to the Executive Committee of the City of Toronto on Internet Voting

Recently I went up to Toronto to deliver a statement to the Toronto Executive Committee regarding a recommendation made by the City Clerk to not adopt internet voting for their 2018 municipal election. I think it had an impact; the committee and subsequently city council voted to accept the recommendations.

Statement to the Committee

Mr. Chair, members of the committee, thank-you for having me here today. My name is Aleksander Essex, I am an assistant professor of software engineering at Western University, and head of the Western Information Security and Privacy Research Laboratory, where we focus on the cyber security of online voting.

I have come to you today to speak in support of the City Clerk’s report on Changes to the Municipal Elections Act and Related Matters Impacting the 2018 Election (EX20.5), and specifically to draw your attention to the report’s finding that:

“There have been insufficient advances in Internet security to accept the risks of implementing Internet voting for the 2018 general election … [and] the challenges identified by both City staff and security experts in 2014 remain unresolved.”

Mr. Chair, I was one of those security experts who conducted an assessment of vendor proposals during the city’s 2014 internet voting RFP (#3405-13-3197). I and my colleagues found that no proposal provided adequate protection against the risks inherent to internet voting. On those grounds, we recommended in the staff report of the contract award that the city not proceed with its adoption. Council, nevertheless, voted to authorize the use of internet and telephone voting for advance polls (cf. 2014.CC54.5) for all electors.

I watched council debate that item, and was troubled that the issue of cyber security received little attention. I am sure that you appreciate that the cyber security of internet voting systems is critically important to the democratic process. Year after year, members of my research community continue to discover vulnerabilities in electronic and internet voting systems in jurisdictions around the world, that would allow hackers to do things like prevent voters from casting ballots, break ballot secrecy, and yes, even rig election outcomes. I myself will be in the U.S. next week presenting research done by my own lab demonstrating a range of attacks of this kind.

Members of the committee, an overwhelming number of cyber experts view internet voting is one of the most challenging open problems in security—for a great many reasons. The good news is that Toronto has an excellent staff that is extremely knowledgeable and capable in this area. Their efforts in the 2014 internet voting RFP have received praise internationally, and the City Clerk’s report (EX20.5) contains an excellent analysis of the current situation. I urge you, therefore, to adopt its recommendation not to implement Internet voting for the 2018 general election. Thank-you, and I am willing to answer any questions members have.