Journey of online ballot cast in Northwest Territories election.
Did you know a foreign-owned cloud provider has access to NWT’s online votes on their way to the digital ballot box?
When electors in Canada’s Northwest Territories vote online, their ballots pass through Cloudflare servers and are briefly decrypted while in transit.
A couple years ago we wrote a paper about this practice in Australia’s online elections. Now it’s happening in Canada.
What is a web proxy?
As a protection against denial-of-service attacks you can pay cloud providers to act as a kind of friendly man-in-the-middle. That means the voter computers computers do not connect to the voting server. Rather, they connect to Cloudflare, and Cloudflare passes the traffic on.
They do this so they can inject things like inject fingerprinting JavaScript into the web session, which means they need access to application-layer data. So protection necessarily comes in exchange for a high degree of trust.
Read more about Cloudflare’s service here.
Why is this a big deal?
Cloud providers in this context have privileged access to see and change your vote. The legitimacy of the election relies on the assumption they won’t. They say the won’t, and so far we’ve seen nothing to contradict that. But how would you find out if they did? How do you know your counted? And what about the trust assumptions in the company actually running the election? Or its collocation provider? Or the all the organizations with access to emails containing voter login credentials?
You might reasonably ask whether all these trust assumptions are appropriate for an election of a sub-national legislature of an advanced democracy.
But before we can even have that conversation, we need to know what’s happening under the hood. Maybe we as a society are ok with relaxing some properties like the secret ballot. Or maybe we’re not. My sense is not. Either way we need the cards on the table. We need the public’s informed conesent. It’s their election after all. Here’s the thing.
Online elections are no longer local elections, so we need to know: Where does my ballot go when I cast it? Who exactly has access to it? Which laws are they subject to? What trust assumptions do we have to make?
If we’re going to do online voting we will be made to confront these issues sooner or later. The only question is whether we do it before the first ballot is cast, or after the first major controversy arises.