The question of online voting in Ontario municipalities is heating up as we approach the election in October. I did an interview for CBC News over the weekend about the many fundamental challenges to online voting, including why it’s not like online banking, and more like one of the greatest open problems in cyber-security.

Why is it so hard?

The issue is we’re trying to have our security cake, and eat it too. On one hand we need to provide evidence that the elected candidates truly represent the collective will of voters. On the other hand we need to keep everyone’s vote secret. The challenge comes in doing both that the same time.

Whatcha gonna do?

One subject that came up is the notion of a disaster plan, i.e., what would a city do if it discovered it was hacked? If the hack was recoverable, how would they prove it to the candidates who lost? If the hack was unrecoverable, how would they rectify the situation with electors? Importantly it seems that many cities have not seriously confronted this question, with Sarnia’s city clerk saying “I don’t have a disaster plan in place right now,” with St. Thomas’ clerk adding “We’re hoping nothing does happen.”

“The vote is secret”

On the question of ballot secrecy, the Canada Elections Act provides perhaps the more succinct guidance: “The vote is secret.” So how is this achieved in the online voting setting? In my experience examining vendor systems, the ballot is not securely encrypted from end-to-end, and falls roughly into one of three scenarios:

  1. Vendor does not attempt to encrypt ballots end-to-end (Email me for examples). The ballot arrives encrypted at the transport layer, and is re-encrypted for storage, existing briefly on the server in an unencrypted state.
  2. Vendor encrypts ballots end-to-end with cryptographically weak key (see e.g., iVote in Western Australia)
  3. Vendor encrypts ballots with an implementation that was later found to have a critical vulnerability (see e.g., the ROCA factorization attack affecting hundreds of thousands of Estonian national identity cards.

The question of ballot secrecy was put to the president of Intelivote, who has been hired by 107 other Ontario municipalities to conduct online voting this year:

People say ‘you must know,’ but no sorry, we don’t. It’s encrypted and when it gets decrypted, the results are there, get tallied and made available to elections officials.

If Intelivote is doing something differently from one of the scenarios above, I hope they reach out. I would love to learn about how they’re addressing the issue.

Ontario civic elections: the problem with online voting. Interview in CBC News.