Establishing a Legal Framework for E-voting in Canada
4.0 Main Findings and Recommendations
A legal framework for e-voting should incorporate the values inherent in our current voting system outlined earlier, such as integrity and secrecy, and should also balance this with practical realities associated with evolving technology and internal and external threats. Upon reviewing both the academic literature and the existing implementations at national and lower levels, it becomes evident that consideration ought to be given to not only the content of any normative rules, but also the process, style and format that election officials and legislators will use in drafting a substantive framework for e-voting. This includes in particular the following:
- the level at which elements of the framework will be defined, possibly including legislation drafted by Parliament, delegated regulations issued by the Chief Electoral Officer and policies;
- the extent to which any norms should be broad and flexible, with discretion left to administrators to deal with details in context or specifically defined up front; and
- the means by which the public, political entities and experts will access information and be involved in the formulation of rules or policies, scrutiny of the technological components and deployment of the electoral system.
With respect to issues of procedure and format, as well as the substance of potential rules and policies, this paper attempts to draw heavily on examining the approaches in other jurisdictions and the actual outcomes that ensued, both positive and negative. With e-voting, the legal framework in which technology is deployed can be just as important to its effectiveness, including bolstering public confidence, as the details of which particular technology is used (Goldsmith 2011).
Format of the Legal Framework
The legal framework for e-voting will span various legal and institutional instruments. At the highest level is the Canada Elections Act, legislation passed by Parliament that provides details of vote counting and registration requirements for voters, specifies electoral offences and delineates the powers of the electoral authority. Other legislation, such as privacy laws or access to information laws, may also become part of an e-voting legal framework. Additionally, the legal framework may also include instruments created by the electoral authority. For instance, government agencies may be given the power under their enabling legislation to create binding regulations. The legal framework also includes non-binding instruments, such as policy statements and internal directives, that help define how the electoral authority plans to meet its statutory duties.
Generally, defining key issues in legislation increases democratic legitimacy by ensuring that elected representatives have a chance to debate and pass laws. The drawback is that any changes to legislation may require a significant time frame to make even minor changes. Some items, such as criminal offences, are generally only created by legislation. However, on many other issues, Parliament may delegate rule-making powers to administrative bodies. This can be done by either granting the electoral authority a broad discretion to issue regulations or by constraining its regulatory power by including specific criteria that must be met in creating regulations.
The current Act authorized Elections Canada to test e-voting, with approval of parliamentary committees, for use in a pilot project. Where other countries have conducted pilot projects, they often did so with most of the procedural requirements found in subordinate regulations and technical documents. The actual legislation was often vague, but this was because risks were low and flexibility was needed to experiment. However, OSCE reports have been critical of countries such as Estonia that have used Internet voting at a national level without sufficiently detailed legislation describing the required procedures in depth.
In a 2011 pilot project, Norway relied on technical specifications and regulations approved by the Ministry of Local Government and Regional Development, while the enabling legislation merely authorized the government to conduct tests. While Internet voting was run only at a local level, the OSCE still felt the pilot could have benefited from more formal procedures (OSCE 2012b). A report by the Ministry of Local Government and Regional Development recognized that extensive legislative amendments would be needed prior to implementing e-voting on a national basis, but found they were neither wanted nor needed for the municipal pilot (Norwegian Ministry of Local Government and Regional Development 2006).
Switzerland allows individual cantons to test e-voting, with most of the detailed requirements described in regulations issued by local cantons. The electoral legislation includes some criteria as to what the regulations must contain, such as security requirements. However, Switzerland has a very decentralized electoral system, and most electoral procedures are generally contained in local ordinances.
Currently e-voting legislation in Canada at a provincial level tends to be broadly enabling and lacks specifics. For example, Alberta's Election Act enables the test of alternative equipment only in a by-election with approval of the legislative standing committee, and requires the electoral authority to list which equipment will be used and what procedures need to be changed (s. 4.1(1)). Legislation regarding e-voting for municipal elections in Ontario and Nova Scotia allows municipalities to pass bylaws authorizing alternative voting methods. Nova Scotia's Municipal Elections Act requires the bylaws to contain measures for counting and rejecting ballots, the form of ballots and notification of voters (s. 146A). Of note, it specifically also provides municipalities the ability to create voting-related offences, with fines up to $10,000 or two years less a day in jail or both (s. 146A(7)). E-voting is only permitted as a supplementary method, requiring advance or regular voting by another means (s. 146A(6)). Ontario's Municipal Elections Act, on the other hand, simply permits municipalities to introduce electronic voting through a bylaw, provided the measures are consistent with the principles of the Act (s. 42).
Where Internet voting has been used in a general election, some jurisdictions have added detailed e-voting sections in their legislation. New South Wales in Australia originally authorized the Electoral Commission to conduct tests on e-voting. Before using it in the general election, however, the Legislative Assembly passed a fairly comprehensive set of amendments introducing new criminal offences, auditing requirements and key security provisions. The legislation granted the electoral authority the power to create detailed regulations following specific criteria. For example, the New South Wales Parliamentary Electorates and Elections Act 1912 specifically authorizes the electoral authority to "approve procedures to facilitate voting by eligible electors" (s. 120AC(1)) and then provides a non-exhaustive list of criteria that should be included (s. 120AK).
Table 1 shows a brief comparison of what e-voting elements are included in the enabling legislation in various jurisdictions.
|Jurisdiction||Key E-voting Elements in Enabling Legislation|
|New South Wales, Australia||
Table 2 lists some items covered in regulations issued by independent electoral authorities or ministries in charge of running elections. Some details of the Halifax bylaw are also listed briefly.
|Jurisdiction||Key E-voting Elements in Regulations|
|New South Wales, Australia||
Achieving a balance between legislation and delegated regulations is important. The more detailed legislation in place, the greater legitimacy the legal framework will probably have. However, it is also very important whenever a government attempts to create legislation involving technology that the principles of functional neutrality such as technological neutrality be preserved and that the legislation avoids being overly detailed in some of its technical specifications, such as prescribing the precise hardware or encryption program to be used. Too much detail may "inhibit innovation or create legal 'technology locks'" (Alvarez and Hall 2008, 184). This may be of particular relevance in countries like Canada, where it may take months for simple changes to elections legislation to be approved by both houses of Parliament. As such, while the legal framework should be very extensive, many of the technical procedures are better left to regulations.
Detailed legislation is not necessarily needed to test an electronic voting system in a by-election or comparably limited context, but using it in a general election without amendments to the Canada Elections Act may raise public concerns about whether there has been sufficient democratic debate and support for the system, and whether sufficient measures have been in place to reduce risk, identify malfunctions or tampering and provide for remedial measures.
The Canada Elections Act does not clearly define issues such as how the system would adapt to the discovery of problems with the e-voting system and what corrective measures would be taken. For instance, if a serious problem were discovered with an e-voting system during an election, would the vote be discontinued? Under what circumstances would an entire constituency result be invalidated and the election repeated? Currently, the Chief Electoral Officer has the authority to issue ad hoc adaptations to the Act in case of unforeseen challenges, but ideally the Act should be tailored to provide some general direction, and if possible, some guidance on how to resolve issues that could affect the results of an election.
Another concern is that some of the decisions involving e-voting require a balancing of values inherently present in s. 3 of the Charter. As such, any restriction on voting rights should be prescribed by law.
A parallel can be drawn to the 2009 German Federal Constitutional Court decision (BVerfG, 2 BvC 3/07) that blocked the use of e-voting machines until either better transparency measures were implemented or legislation specifically authorized the reduced transparency in return for greater accessibility. In that case, the Federal Ministry of the Interior was given the authority to create ordinances related to the approval of the machines. The court found that because of ongoing (and often rapid) technical development, detailed regulations are generally best left to the electoral authority. However:
Because of their particularities, regulations relating to the deployment of voting machines are reserved for parliamentary decision insofar as they relate to the major requirements for the deployment of such devices. This includes the decisions on the permissibility of the deployment of voting machines and the fundamental prerequisites for their deployment. (BVerfG, 2 BvC 3/07, paragraph 136)
Many of the problems that occur when introducing voting technologies are not due to problems with the technology, but rather with a lack of ancillary process that mandate how election administrators implement the systems or interact with the technology (Alvarez and Hall 2008). Whether the issue is the hardware, software or the machine–human interface, it is the responsibility of Parliament to provide intelligible standards, minimum requirements and general directions to agencies such as Elections Canada to assist them in exercising their discretion and creating regulations or policy. This helps ensure public confidence in the use of technology and provides a stable basis to evaluate the regulations and to hold officials to account.
Access and Eligibility
Determining how and when e-voting will be used is an important step, as well as deciding who gets access to the system. Should legislators treat it as a special voting system designed purely as a way to enfranchise disadvantaged groups who may have difficulty voting, or should it be used an alternative to voting in person as a means to increase voter turnout and enhance convenience for everyone?
Currently, the Canada Elections Act provides three main methods of voting: voting on polling day, at advanced polls and by special ballots (s. 127). Special ballots can either be completed in person at an office of the returning officer or by requesting a ballot be sent by mail and returned. For those with physical disabilities, there is even the provision for a designated election official to go to a person's home and assist the individual in marking the ballot (s. 243.(1)).
If decision makers choose to allow e-voting, then a provision should be added to the list of voting opportunities in s. 127 of the Canada Elections Act along with any dedicated provisions.
Restricting Eligible Voters
One of the considerations behind e-voting software is whether to allow its use by everyone or a selected subset of voters. Is e-voting being used as a tool only to accommodate those who may have difficulty voting at a polling station? Will there be a decision to limit who can vote remotely in order to work out concerns over voter authentication and mitigate against abuse? The Canada Elections Act contains specific provisions to set up military polling stations (part II, division 2), as well as to accommodate disabled voters by sending elections officials to their house to facilitate voting (s. 243.(1)). The Act also differentiates between those voting by special ballot who are residing in Canada (part II, division 4) and those who are living outside the country (part II, division 3). However, there are no restrictions on who may use special voting, as long as they meet the residential and identification requirements. Any eligible voter who does not desire to vote on voting day can either vote in advance at the office of the returning officer or request a ballot by mail.
Internationally, there are different approaches to eligibility for e-voting. In Estonia, every voter who chooses to use the system may vote online, although this process was facilitated through a national ID infrastructure already used for government services with a secure ID card, so that there was less of an issue with handling identification and authentication of voters. Switzerland's federal ordinance on political rights allows e-voting, but limits its use to 10 percent of voters at the federal level in any given election. This effectively ensures a national government can be formed, even in the event of an e-voting failure. France recently allowed only those living abroad to cast a ballot in their Parliament, thereby reducing voters' dependence on mail to return ballots; domestic voters were still required to vote using traditional means.
New South Wales recently allowed specified classes of voters to cast a ballot over the Internet. Under s. 120AB of the Parliamentary Electorates and Elections Act, the following categories of voters are permitted to vote over the Internet:
- electors with visual impairments
- electors with disabilities that make it difficult to reach polling stations
- rural voters who live over 20 kilometres from a polling station
- voters who will be out of the state on voting day
Additionally, the legislation grants New South Wales's Electoral Commission the ability to publish additional regulations that further restrict or expand eligibility requirements. In order to be eligible, the voters must be registered to vote in advance by applying online or by phone. The original intention was to permit only disabled voters to use the new system, to satisfy international obligations under the United Nations Convention on the Rights of Persons with Disabilities (Allen Consulting Group 2011). However, rural voters and out-of-state voters were subsequently authorized by the Legislative Assembly to vote over the Internet. As Australia uses compulsory voting, this ensures that mandatory participation in an electoral system does not create undue hardship.
In Canada, the Charter guarantees of an effective right to vote to all Canadians and a general presumption of equality create the possibility that the courts could find a constitutional violation if some voters were allowed to use e-voting in an election while other voters were not. Generally any restriction of a Charter right must be defined by law or regulation, in accordance with s. 1, rather than left to the unconstrained discretion of officials.Footnote 8 However, if a program is only aimed at ameliorating a disability, the Charter will not preclude it.
To avoid potential constitutional challenges, legislators would be prudent to include provisions in the Canada Elections Act if they wished to limit who could e-vote in a given election.
If the goal of choosing a limited deployment for online voting is to limit exposure to fraud, a better solution may be to use more stringent identification requirements, such as requiring in-person registration for most voters. This may be less convenient for some voters, but convenience (as opposed to disability accommodation) is not a constitutional requirement (Henry v. Canada).
Cost effectiveness might weigh into a judicial evaluation of whether the Government of Canada has fulfilled some of its prima facie constitutional duties (e.g. facilitating voting) or a "reasonable limits" analysis of whether an e-voting system has features that are problematic constitutionally – such as excluding or not accommodating certain groups of voters – but is nonetheless justified as a "reasonable limit" on a Charter right. Leaving aside the potential for court challenges, cost–benefit considerations can be decisive in public support for an e-voting system. For example, a decision to introduce Internet voting to overseas military voters in Australia in 2004 ended up costing around AUS$521 a voter compared with $10 using traditional voting means (Australian Electoral Commission 2008). A pilot project involving assisted voting devices in the Winnipeg North federal by-election in 2010 cost nearly $30,000 per vote, with only five voters using the equipment (Elections Canada 2011a).
Table 3 shows the breakdown of New South Wales costs per vote using the actual costs, as well as projected future costs if every voter was permitted to vote online (Allen Consulting Group 2011).
|Use||Cost per Vote (AUS$)|
|46,000 votes cast electronically in 2011 state general election (disabled, rural, absentee)||$72 (actual)|
|500,000 e-voters in local government elections||$10 (estimated)|
|1,000,000 e-voters in local government elections||$6 (estimated)|
|Regular election||$8 (actual)|
While the cost per vote to run an online system appears to be high, this must be put into context. New South Wales spent AUS$3.4 million on its e-voting system in 2011 (about CAN$3.6 million). To put this in perspective, the total cost of running the 2011 general election in Canada was $279 million (Elections Canada 2011b). The more people who can e-vote during an election, the more cost effective the system will appear.
Voter fraud has been a legislative concern in Canada, and any use of e-voting or expanding alternative means of voting will likely raise this issue. Parliament passed more stringent voter identification requirements in 2007 to address concerns with voter impersonation at the polling box. Voters must now bring proper identification to vote or have another voter vouch for them.
Those voting by mail through a special ballot must provide satisfactory proof of identity but there is very little means to prove that an individual returning a mail-in ballot was the person who applied to receive it. The trade-off with special balloting is that election officials are provided with time to approve each applicant and have time to check addresses and identify multiple voters, whereas poll workers on election day are expected to instantly register a voter. If functional equivalence to mail-in voting is the only criterion applied, then an address and other identifying information should be sufficient.
Internet voting can be more secure than mail-in voting in some aspects, since personal identification information is not only collected when a voter requests a ballot, but an e-voting system could again require additional information prior to a voter casting their ballot. However, decision makers may also be concerned that introduction of a new technology may come with increased scrutiny as to the existing special voting identification requirements, and thus may want to be proactive.
Estonia may be the gold standard for identification and authentication because of its use of a national electronic identification card. The identity cards are ubiquitous across the country and used for everything from bus passes to government services. Voters insert the card, which contains a code that securely encrypts their identification, into a card reader attached to their computer while entering their secret passcode. If a voter loses their card, they can go to a bank or government kiosk to get a new card and passcode. Because a voter must prove their identity in person before gaining the card and the passcode, there is very little concern about an ineligible individual being able to vote. While an eligible voter could provide their card and passcode to a third party, there is little opportunity for wide-scale fraud.
Other means of handling voter identification vary. In Norway, the pilot relied on both mobile phone infrastructure as well as secondary voter cards. A voter would receive a login identity and passcode in the mail, and upon logging in would receive a text message to their phone, reducing risks from stolen mail. Switzerland, on the other hand, mailed voter cards with passcodes and relied upon secondary personal information such as date of birth to reduce the potential for systematic fraud. In India, in order to vote online, an electoral officer will come to a voter's house and take biometric information from the voter, including a thumbprint, before issuing a voting card and online PIN (Kapoor 2011).
New South Wales, as mentioned earlier, imposed limitations on who may vote. To reduce impersonation or mail fraud, a voter would be provided a passcode over the phone or online when they applied to vote. Anyone making a misleading statement on an application may receive up to two years imprisonment or a stiff fine. The Electoral Commission is required to publish regulations on how authentication is handled, and the requirements may change in the future.
Many of these methods arguably provide an equal or higher level of protection against unauthorized voting or mail theft than traditional mail-in ballots that are vulnerable to mail theft. Additionally, Estonia's use of a secure identification card ensures a similar level of security as in-person voting since visual identification is required to gain the passcode in the first place. However, any discussion about whether to introduce a national identity card in Canada is beyond the scope of this paper.
While adequate steps should be taken to ensure that those using an online voting system are in fact entitled to vote, the Supreme Court of Canada has found that overly onerous steps and perfection are not a requirement.
The system strives to achieve accessibility for all voters, making special provision for those without identification to vote by vouching. Election officials are unable to determine with absolute accuracy who is entitled to vote. Poll clerks do not take fingerprints to establish identity. A voter can establish Canadian citizenship verbally, by oath. The goal of accessibility can only be achieved if we are prepared to accept some degree of uncertainty that all who voted were entitled to do so. (Opitz v. Wrzesnewskyj, paragraph 45)
Because online authentication technology is constantly improving, the electoral authority should be required to create regulations describing authentication and identification procedures. In order to ensure that non-eligible voters cannot vote, the procedures should either require voters to personally identify themselves to an authorized official before receiving login information or require a sufficient combination of the voter's personal information and login pass code.
Additionally, the electoral authority may use a secure electronic signature as part of the voter identification process or in returning digital ballots. An example of legislation describing this can be found in the Personal Information Protection and Electronic Documents Act (PIPEDA), as well as the Secure Electronic Signature Regulations. Under PIPEDA, the Treasury Board must be confident that a secure electronic signature is secure and reliable and meets the following conditions (s. 48.(2)):
(a) the electronic signature resulting from the use by a person of the technology or process is unique to the person;
(b) the use of the technology or process by a person to incorporate, attach or associate the person's electronic signature to an electronic document is under the sole control of the person;
(c) the technology or process can be used to identify the person using the technology or process; and
(d) the electronic signature can be linked with an electronic document in such a way that it can be used to determine whether the electronic document has been changed since the electronic signature was incorporated in, attached to or associated with the electronic document.
Parliament should grant the electoral authority flexibility in choosing the methods of authenticating voters as long as they are secure and reliable.
Considerations for Voters Abroad
In the last Canadian election, eligible electors living outside of Canada cast over 17,000 votes. One of the benefits of Internet voting is that it makes it easier for voters living abroad to ensure their ballot arrives in time, especially since international mail can be slow. However, there may be legitimate reasons for allowing the electoral authority to limit online voting to certain countries. For instance, some countries may censor or monitor Internet transmissions, other countries may pose security concerns and it is generally difficult to punish those who violate election laws abroad.Footnote 9
Most Canadians casting ballots abroad live in countries with a comparable level of Internet freedom as Canada. More than 11,000 of these votes came from countries that are listed as having a high degree of Internet freedom by the NGO Freedom House, including the United States, United Kingdom, Australia and Germany (Kelly and Cook 2011). An additional 3,000 votes came from other countries in the European Union that were not ranked, but likely have similar access to the Internet. There were also approximately 650 votes from states that have only partial Internet freedom, including Mexico, India, Korea, Turkey and Russia, and an additional 1,200 votes from Singapore and Persian Gulf countries that were not covered by the Freedom House listing. Some countries receive a poor rating on Internet freedom, engaging in censorship and often blocking Internet connections. Last federal election, 660 votes were cast by mail from such countries, including China, Thailand, Vietnam, Saudi Arabia, Iran, Pakistan and Nigeria. Whether there is potential for state interference in an election system in these countries may raise a concern, albeit arguably the same concerns could exist for mail-in ballots.
Another consideration is that allowing the Internet voting system to be accessed from countries that are associated with large incidents of cyber-attacks could cause security concerns. For example, a 2007 cyber-attack believed to have originated in Russia caused significant disruption to Estonia's banks and parliamentary communication for almost three weeks (Ruus 2008).Footnote 10 According to security experts, the four largest sources of online attacks in the first quarter of 2012 came from China (30.6 percent), the United States (19.2 percent), Russia (13.4 percent) and India (9.5 percent) (Prolexic 2012). Election authorities may have to block some international access in the case of a massive cyber-attack coming from a foreign country.
As well, not every country permits encrypted Internet signals to be sent abroad. Switzerland focused its online voting toward voters living in countries that signed the Wassenaar Arrangement, which is a treaty adopted by Canada that permits the exchange of encrypted data between countries (COE 2010).
We recommend the electoral authority work with other government departments to identify countries where Canadians may freely vote abroad as well as countries that may host potential threats to the voting systems. The legal framework should permit the electoral authority to determine from which countries online voting may be available as well provide them the authority to block voting from a given country to prevent attacks. Additionally, in countries where a free Internet does not exist, legislation should allow electoral authorities to set up electronic voting stations at consulates and embassies. However, additional precautions should be taken with any shared voting terminal similar to what would be required with a controlled voting system.
The legal framework, either directly in the legislation or in published regulations, should clearly define all important dates in an election period. While it is possible to allow Internet voting until the close of the polls on the final day of voting, this does not appear to be the norm in jurisdictions that allow e-voting. The Council of Europe only recommends that Internet voting not proceed past the regular election cutoff (COE 2005). However, a Norwegian report firmly recommends precluding e-voting on election day (Norwegian Ministry of Local Government and Regional Development 2006).
In most cases, Internet voting starts about midway through a campaign and ends four to seven days before the polls close. E-voting happens early to allow electoral authorities time to react to technical problems as well as revise voter lists so that election day poll clerks know who has already voted. However, Internet voting should not end too far in advance of the election day as to unfairly deprive voters of key election milestones, including debates and last-minute announcements.
In many ways this is similar to advance voting, which happens on days 10, 9 and 7 of an election in Canada. Estonia's Internet voting period ends at the same time as the advance polls; that is, four days before election day, mainly so officials can reconcile multiple votes, because the legislation permits individuals to override their Internet vote with a second Internet ballot or by voting in person at an electoral station. Estonia's online voting period starts 10 days before the election and prior to advanced voting.
New South Wales allows voters to vote online from the 12th day before an election up until the evening before the election. Voters who apply to vote online are precluded from voting at the polls. These dates are published in electoral regulations. Electoral authorities may extend e-voting up until the close of polls on election day, in the case of any major technical problems on the final day of e-voting. However, any extension of the voting period would likely cause a delay in tabulating the final voting results since the state's procedures require each e-vote to be printed and counted alongside regular ballots.
The online voting period should extend for a multiple-day period, to maximize usage as well as to prevent disruptions from affecting voter confidence. Norway allowed e-voting for one month, which was seen as an effective tool to minimize disruption from a potential denial of service attack (OSCE 2012b). If too short a voting window is permitted, the possibility of a temporary attack on a server may frustrate and potentially disenfranchise voters. This happened in Canada during the 2012 NDP leadership contest, when officials had to extend e-voting periods as a result of a denial of service attack (Scytl Canada 2012).
We recommend that the electoral authority be given the authority to define the voting period for e-voting in regulations. The voting period should begin well in advance of voting day, be accessible for a week to 10 days, and end a few days prior to election day. This would provide e-voting administrators time to revise electoral lists as well as time to react to potential problems with the e-voting system.
Summary of Recommendations
E-voting can be introduced to facilitate accessibility and provide reasonable accommodation to voters who have difficulty attending traditional voting or could be expanded to allow all voters to use the system. These decisions may involve accommodating cost effectiveness, efficiency, voter fairness and even risk assessment. As discussed in the background section, the legislative framework should treat e-voting as the functional equivalent of special ballots conducted by mail, and non-electronic alternatives should always be accessible. While electronic ballots may be analogous to paper, the constitutionally guaranteed effective right to vote likely demands that voters who do not trust or feel comfortable using computing technology are provided with sufficient options and feel confidence that their vote is secure. We recommend:
- E-voting should be treated as the functional equivalent to special or postal ballots and non-electronic alternatives should always be accessible.
- If there is a desire to limit electronic voting to a specified group, the Canada Elections Act should clearly prescribe the eligibility requirements. (Some jurisdictions only allow out-of-district voters, disabled voters and those who live a fixed distance away from the polls to vote over the Internet.)
- Access to electronic voting should be broad enough to ensure that implementation costs are not overly disproportionate to traditional voting.
- Parliament should grant the electoral authority flexibility in choosing the methods of authenticating voters as long as the methods are secure and reliable.
- Electoral officials should work with diplomatic officials to determine which countries are safe to allow remote voting in.
- The period for e-voting should be conducted over at least a week and end no earlier than the close of advance polls but before voting day. The period should be fair to e-voters but also allow the electoral authority time to react to technical problems.
One of the major issues for building public confidence in an electoral system will be the transparency of a technological system. Transparency is important both for ensuring integrity in the underlying measures as well as building public confidence. As noted in one paper, "It is not only important that a system is reliable, it is also important that people believe that the system is reliable" (Pieters and Becker 2005, 3). Pieters and Becker argue that transparency may be a more important democratic value than voter secrecy, in an argument about whether a voter should receive proof of how they voted. In moving to an online voting system, transparency is directly related to the amount of information that is available to the public, as well as to intermediaries such as candidates, political parties, the media and elections observers. As was stated in a recent paper on trust in the system, "[t]he more information is withheld, the less the public will appreciate the added value gained by applying the remaining measures" (Volkamer et al. 2011, 2).
Scrutineers and Monitoring
Electoral transparency is provided for in a number of ways under the Canada Elections Act. The Act provides that most election instructions, correspondences and rulings are public records and may be inspected by any person during business hours (s. 541). Election officials are required to create reports if they believe that any ballots have disappeared (s. 314). The Chief Electoral Officer is also required within 90 days after an election to issue a formal report on election results and other issues (s. 534).
Political candidates or their representatives (also known as scrutineers) are an important means by which transparency is guaranteed. They are permitted access to polling stations and may be present at the counting of the votes and are able to object to the ballots as they are counted. The election rules even stipulate that if no candidate representatives are present for the counting of the votes, then two electors must observe the counting (s. 283(1)).
The current system guarantees transparency by a combination of scrutineers and reports to the public. A similar level of transparency with e-voting can likely be achieved by detailed reporting and allowing scrutineers access to components of the e-voting system. The rights of candidates, parties, citizens groups and the media to scrutinize the accuracy and efficacy of technical processes are critical to the conduct of genuine elections (Young 2009).
Use of candidate-appointed scrutineers to oversee e-voting has already been given some traction in other jurisdictions. In France's 2012 parliamentary elections, candidates were permitted to appoint a delegate to monitor electronic voting if advance notice was given (Electoral Code, article R176-3-2).
As well, the processes used in paper-based systems are inherently less complicated and observation is simpler, whereas specialized training may be required to sufficiently perform the role of a scrutineer in e-voting. Norway had a very open process to allow observation, but at the same time, parties showed little interest in remaining involved (OSCE 2012b).
It is important to determine what level of access scrutineers (or other observers, such as academics and international observers) have to view or monitor servers and equipment on which a voting system is run during an election cycle. Some observers feel that scheduled observations, as opposed to random checks of equipment, are "against the spirit and purpose of trustworthy election observing" (Open Rights Group 2007, 13).
Unlike traditional voting, scrutineers do not need to oversee the counting of every single e-vote; rather, they must ensure that the electronic processes are followed. The legal framework should include formal rules to ensure parties can appoint technically knowledgeable scrutineers to observe the electronic voting system.
Access to Source Code and Logs
An important legislative requirement in an e-voting system is that there are provisions to ensure that every aspect of the chosen system can be viewed and observed for either errors or manipulations. It may be sufficient for a school board election or low-risk vote to trust a vendor's system or rely on other jurisdictions' experiences with a service provider. However, it would be highly unreasonable for election officials to use a controlled e-voting system for a national election that could not be independently verified to ensure every vote is counted and that there is no opportunity for third-party manipulation. In Germany, a lack of transparent access to e-voting machines' source code led its Federal Constitutional Court to ban e-voting machines (BVerfG, 2 BvC 3/07).
In an Internet voting system, public transparency is needed in the selection of the hardware and platform that a system is run on, in the review of the code behind all of the e-voting software and in access to any logs or records of any changes that are made to the software.
The legal framework should address who has access to the source code and logs, describe any conditions for gaining access and outline how errors should be reported. Optimally, access to source code should be as open and transparent as possible, while protecting any proprietary or critical intellectual property (Alvarez and Hall 2008).
While the Access to Information Act generally provides the public with access to government documents, a more tailored regulation for e-voting is needed since the Act allows the government to withhold information about computer systems and their security measures, technical information or third-party trade secrets (ss. 16.(2), 18.(a) and 20.(1), respectively).
One of the options to increase transparency is to make the entire source code publicly available. Election authorities would make the code available on a public site for scrutiny prior to the start of voting. Arguments in favour of publicly available source code include: (Smith 2006)
- Visibility of source code works as a motivator to write clean code.
- Free analysis can be gained by making it readable to the world.
- The available resource base for future development is broadened.
- The counting process is open for all to inspect.
Public availability of the code was one of the measures used in Norway to increase transparency. The source code of its election system was posted on the government's website, although there are patent and copyright protections for the intellectual property rights of the software developers. Other transparency measures include a live videotaped ceremony open to the public where election administrators ran various steps in de-encrypting and tabulating the votes.
While releasing source code publicly may seem to be more transparent, the advantages of this approach over selectively submitting the code for private review may be limited. The average member of the public would not be able to properly vet the code, and there is little guarantee that undetected vulnerabilities would be reported to election authorities rather than exploited by those viewing the code.
Generally the goal is to ensure that e-voting is not overly less transparent than paper-based voting, because the principle of functional equivalence generally ensures the rules should be as good or better than the current rules. However, even under a paper-based voting system, the public relies on intermediaries to ensure the results are accurate, and access to vote counting is generally restricted to election officials and scrutineers.
While Norway allowed its source code to be made public, most jurisdictions restrict access. Estonia, for example, does not publish its code, but rather has it reviewed by an academic prior to being used, and an independent auditor is appointed to observe that technical staff have followed prescribed security procedures. Third parties can review the election software after signing a confidentiality agreement. If problems are found, reviewers must notify the election authorities before they are allowed to make public comments (Martens 2012). Likewise, the law in Switzerland contemplates and allows interested academics to review the electronic voting software, while mandating that an independent certification agency actually review the code.
While most jurisdictions rely on a non-disclosure agreement to protect the code, the state of New South Wales has taken a stricter approach, prescribing a punishment of up to six months in jail for disclosure of the source code.
Allowing qualified individuals full access to the source code is generally seen as a way to promote technical improvements, while limiting some of the potential risks with full public disclosure (Hall 2006). In the Australian state of Victoria, the Victorian Electoral Commission, currently working to implement Internet voting, has recommended the legislature create independent observer roles to provide scrutiny of e-voting systems (Buckland and Wen 2012).
Because the Canadian electoral system already provides candidate or party representatives with a high level of access to counting, it would be prudent to create a similar scrutineer role to review the Internet voting system. Even if the electoral authorities appoint an independent auditor to review the code, allowing political entities to nominate their own reviewer will increase trust. Additional access to code may be given to academics, international observers, representatives of NGOs or even members of the general public.
The legal framework should give the electoral authority the power to create a series of formal requirements on how access to the code and system information will be granted and whether there are any conditions that should restrict access. There may be requirements that individuals apply so that background checks (e.g. criminal record) can be carried out, and individuals might be required to sign limited confidentiality agreements. Also, as discussed in section 4.6.6 of this paper, an accompanying electoral offence preventing unauthorized access to the code may also be considered.
Public Communication and Compliance
Whether or not the entire e-voting source code is published, every effort should be taken to communicate as much information as possible. Source code availability does not address comprehension, although its availability may increase the level by which the public trusts the systems (Hall 2006). The specific requirements could be mandated by the legislation or may be left up to electoral authorities to determine what the adequate information should be.
In Switzerland, article 27d(3) of the federal ordinance on political rights stipulates that cantons must have a plan to inform the electorate about the organization, technology and procedures for the electronic voting before using e-voting.
Thorough documentation ought to be made available, as without it the public may not appreciate the system (Volkamer et al. 2011). However, simple documentation should also be released that will be understandable by the general population. This should include the technical measures taken to guarantee secrecy and ensure the integrity of the system. The benefit of this is that independent technical experts can review the system and confirm to the public that the simplified documents are correct. The perception of credibility is as important for electoral processes as actual integrity (Volkamer et al. 2011).
It may also be useful for governments to show compliance or at least assess the given system against international methods. The Council of Europe recommendations, for instance, provide detailed technical steps, which Norway specifically references in its regulations. The legislation may also choose to require the system to be compliant with a recognized body for security or data integrity. Section 68 of Quebec's An Act to Establish a Legal Framework for Information Technology provides an example of legislation that requires approval by a recognized body, listing the International Electrotechnical Commission (IEC), the International Organization for Standardization (ISO) or the International Telecommunication Union (ITU) and Standards Council of Canada (or a body accredited by that council) among the known authorities. Likewise, the Council of Europe recommendations list the European co-operation for Accreditation (EA), the International Laboratory Accreditation Cooperation (ILAC) and the International Accreditation Forum (IAF).
The legal framework should allow considerable flexibility to the electoral authority to develop a plan to communicate to the public the steps taken to ensure the integrity of the system, as well as any third parties that have verified the software. It would be useful, however, to formally acknowledge the importance of reasonably extensive and timely public communications and identify any particular concerns (protecting systems from tampering, the intellectual property of technology providers or individual privacy) that might limit the time and extent of public disclosure.
Reporting and Responding to Incidents
Because e-voting can be vulnerable to both external threats as well as technical problems, it is possible that problems with the system could be uncovered at any time before, during and after an election. The legal framework should address not only how problems are reported, but may also consider making it mandatory for individuals reviewing or designing the system to report any disruptions or errors to stakeholders as soon as possible.
In order to increase public confidence, some critics of e-voting contend that it should be mandatory to report defects or errors as soon as they become known (Jones and Simons 2012). This would require a positive obligation on electoral officials, candidate representatives and third parties to disclose vulnerabilities discovered while testing. For instance, in response to concerns about manufacturers of voting machines not being forthright about system errors, California enacted legislation approving a fine of US$1,000 per day for any manufacturer that uncovers an error, defect or fault in their system and fails to report it within 30 days (California Elections Code, s. 19214.5).
In addition, a formalized process should be implemented so that reports of electoral incidents are quickly reported to all stakeholders. While the GC Information Technology Incident Management Plan contains some requirements for reporting IT security incidents to the Government of Canada's newly created Cyber Response Unit, there is no public reporting requirement (Government of Canada 2012).
Once vulnerabilities are reported, a plan will need to be in place to respond to and rectify problems. Some of the potential incidents may require late patches to the systems, even after the system has been independently tested and approved. Responding to the measures may require quick fixes if they become evident during actual voting. However, any change or alteration to the system may raise questions about system integrity and the potential for manipulation of the electoral system. A clear process should be in place to handle software changes. At the very minimum, any changes should require at least two individuals present when the changes are made, be clearly logged and communicated to scrutineers, and be available as a report to the public after the election.
Table 4 is a non-exhaustive list of some issues that have surfaced in the literature.
|Potential Incident||Response Required|
|Problems with software client installed on home computer||Re-release updated voting software.|
|Malware spread with ability to affect votes||Re-release updated voting software and alert voters to run anti-virus software before voting. Potential to allow re-voting could alleviate concerns.|
|System vulnerability or threat intrusions||Central server update may be needed, which may pose a serious threat to the electoral process. Assessment of integrity of existing votes should be required.|
|Denial of service attack (attempt to overload servers with false traffic)||Server response may be needed. Voting period may need to be extended. In some cases, outside traffic (international voters) may need to be redirected or blocked.|
|Erroneous ballots being submitted||Will have to identify whether this is a system error or an attempt to spoil ballots.|
We recognize that often suppliers may have a vested interest in not reporting problems with software. In the case of electoral software, the consequence could be disastrous. Legislation should be created to require that any known errors be reported immediately to appropriate authorities. Additionally, the electoral authority should create regulations and policies outlining how it will respond to problems and clear procedures on how updates to the software can be made.
Summary of Recommendations
Public confidence in an e-voting system will depend on comprehension and transparency. The legal framework should ensure the public has access to information about the system's integrity and security, and methods should be in place to allow key stakeholders to independently verify the security and integrity of the system.
While the implementation of electronic voting in some jurisdictions has required all e-voting source code to be published online or to use only open source code, we recognize there may be valid reasons for allowing suppliers to protect trade secrets and giving the electoral authority the flexibility to choose the most secure and reliable technology. Current legislation allows candidates' representatives to monitor all critical steps of voting. Similar steps should be taken with e-voting to ensure transparency. We recommend:
- Party- or candidate-appointed scrutineers should be able to view all source code and inspect physical technology.
- A formalized process should be created for academics and international observers to get similar access to ensure the integrity of the e-voting system.
- Decisions on whether to publicly post source code or use open source technology should not be legislated, but should be left up to electoral officials.
- Electoral officials should be required to provide public reports on the security and integrity of the e-voting system, as well as which external reviewers approve the system.
- Legislation or regulations should ensure that observers or developers immediately report errors to election authorities.
- Procedures should be in place to have election officials inform key stakeholders, including political parties, of security incidents.
Division of Roles and Responsibilities in Administering E-voting
A voting system is seen as trusted if it attracts voters and leads to confidence regarding the integrity of the published result and the secrecy of the vote (Volkamer et al. 2011). In a traditional election, Canadians are used to an independent electoral authority that administers an election, a comprehensive set of written elections procedures, the ability for parties to present scrutineers at important opportunities such as voter registration and counting, and the circumstances for a judicial recount. Voters may not witness their vote being counted, but they have confidence in the system based on participation of individuals whom they may trust and who operate locally.
Internet voting, while handling a function similar to special balloting, requires more specialized expertise (in information technology) than traditional procedures (Norwegian Ministry of Local Government and Regional Development 2006). There is also a need for a greater division of roles, as the system is far more centralized and there is a greater risk that the election results or voter privacy could be compromised if processes are not followed.
Certification and Approval
The idea of certification is much more predominant with legal frameworks for controlled e-voting than with uncontrolled e-voting. Often with voting machines, a certification organization is mandated to test equipment, verify its security features and allow, for instance, local governments such as those that operate in the United States, to rely on the expertise of external bodies about the reliability of equipment. Certification is also useful where electoral administration is decentralized and a variety of e-voting solutions may be adopted. In England, one of the recommendations coming out of the municipal election experiments with e-voting was to have a centralized certification body that could test and approve the systems before they get used (Electoral Commission 2007a). As Internet-based voting increases nationwide, there may be value in creating a dedicated Canadian certification authority that can assist lower-level governments and other organizations with certifying their electoral technology.
Third-party certification can act as a safeguard for authorities without the resources or expertise to conduct a full-fledged audit or internal review of an e-voting system. It can also serve as a means of due diligence for upper level governments that may wish to allow entities like local governments to use the system, while requiring local entities to choose equipment from an approved supplier. The US federal government relies heavily on certification and ties it to local election administrators seeking federal funding to purchase election equipment. The Help America Vote Act of 2002 s. 231(b) directs the Director of the National Institute of Standards and Technology to evaluate independent non-federal laboratories and recommend them for accreditation by the US Election Assistance Commission (EAC) to certify voting machines. The manual produced by the EAC specifies in detail the procedural requirements that must be fulfilled for laboratory accreditation. Any laboratory that meets the relevant requirements can be approved for accreditation by the EAC. Individual states have the option of providing their e-voting machines for certification using EAC-accredited laboratories.
For Canada, requiring third-party certification could be an added measure of confidence that a system is ready to be used, but the same could also be completed by professional auditors or another independent reviewing organization. For example, in Estonia, the independent National Electoral Committee, consisting of two judges, oversees elections, and an auditor (KPMG Baltic) oversees compliance and an independent programmer is hired to review source code. In New South Wales, the Electoral Commission may approve an e-voting system if a set of criteria are met, and there is a requirement that the audit result be provided to the electoral commissioner seven days before a vote (Parliamentary Electorates and Elections Act 1912, s. 120AD(2)).
Final third-party sign-off certification may not provide enough flexibility when a system requires dynamic tweaks to respond to hackers, but the notion that a system must pass a series of defined tests and a comprehensive assessment before each election still applies. Creating or appointing an independent entity with the ability to test and anticipate new threats is important.
We recommend that some governmental body, committee or external agency separate from the IT staff designing the system be required to certify or approve key components of the system prior to the use. The legislation may use general language such as requiring the electoral authority to appoint an independent, arm's-length and qualified reviewer before using the system in a general election.
Holding Cryptographic Keys
One of the most consistent means of ensuring secrecy of the ballot is using cryptographic technology. When a voter casts a ballot on their home computer, an advanced mathematical formula is applied to encrypt the information so that it can be securely transferred. In order to read the vote, someone must possess a cryptographic key with instructions to descramble the information. The votes are also stored at the centralized server in this matter, so that someone observing the server would be unable to decipher how a vote was cast until it was encrypted.
Most systems use technology analogous to a mail-in ballot, in that the vote is encrypted, this encrypted ballot is attached to a voter's identity, and then encrypted in an outer "sealed envelope" to allow secure delivery to prevent the vote from being manipulated along the way. The voter's information is stripped prior to the de-encryption codes known as "private keys" from being run.
The concern is that whoever possesses the cryptographic key has the theoretic ability to uncover the voting preferences of a vast number of voters if they were able to gain access to the area in which the votes are stored. This concern can be overcome by ensuring the private key is securely stored and by requiring more than one individual to access the key.
In Estonia, the private key is stored on a tamper-resistant hardware security module and protected by a multiparty authentication scheme. In order to access the private keys, a quorum of the National Electoral Committee is required to provide a password (Heiberg et al. 2011).
In Norway, the regulations require the key to be held by those with diverse interests. In order to satisfy this requirement, an electoral board is formed with 10 representatives of different political parties, each receiving a portion of the key (OSCE 2012b).
Switzerland, on the other hand, generated a key that was kept by the police agent, but which required two passwords, kept by a notary as well as two groups of election officials to unlock. New South Wales regulations allow the commissioner to appoint a five-person board to control the keys, and three keys must be present to open a ballot box (Brightwell 2011).
We recommend that the legal framework require that any cryptographical key be divided among a sufficient number of persons recommended by different political entities and that appropriate security steps be taken.
Division of Technical Activities
Similar to the distribution of cryptographic keys, it is important that sufficient checks and balances exist throughout the e-voting system to ensure that authority and capacity to make changes are widely distributed. Electronic voting is inherently centralized, so the legal framework should require procedural decentralization and safeguards to ensure that no abuse is possible.
Additionally, the legal framework should not permit unilateral access to any critical component of the e-voting system and should ensure the system is designed so that there is no feasible way to determine how voters voted and that no partial report is available prior to the closing of the polls (Volkamer et al. 2011).
The division of technical activities should be handled both by technical measures as well as physical steps. In its pilot projects, Norway runs the vote de-encryption server in a different location from the vote-recording servers under different divisions of the government. Estonia runs each process on a different server, with different individuals tasked with the authority to run a process, so that there is both a separation of duty as well as a separation of critical elements (Volkamer et al. 2011).
Legislation, regulations or policy statements from the Chief Electoral Officer should ensure that voter secrecy is achieved through the division of technical roles, so that no individual can unilaterally access and manipulate processes or data.
Summary of Recommendations
A successful implementation of e-voting will require well-defined roles and responsibilities to ensure the system is secure and to provide the public with confidence that any negligence or mischief at the electoral authority cannot affect the accuracy of the votes or voter anonymity. The legislative framework should ensure that e-voting does not overly depend on any one individual or closely connected group. We recommend:
- Some independent group with recognized technical expertise, internal to Elections Canada or external, should be required to certify and approve that a system is secure, reliable and ready to be deployed in a general election.
- Roles should be assigned to determine if an electronic voting system's security, integrity or privacy has been breached.
- Cryptographic keys should be divided among enough individuals, ideally representing different political parties, to protect voters' privacy and ensure votes are not prematurely de-encrypted.
- A general division of technical roles and duties should be in place across the electoral authority to counter concerns regarding centralization and collusion and ensure that at least two unconnected people approve any changes.
Contingency Planning for Worst-Case Scenarios
While every reasonable effort should be made to design systems that will not fail, the legal framework must take into account the possibility that there will always be an element of risk. This could include an error in design and operation; outside sources of interference, such as power outages, that affect computer equipment; natural disasters; or attempts to hack into the systems or disrupt the vote.
It could be a very serious stain on the operation of Canadian democracy if failures or tampering led to the effective disenfranchisement of some citizens, which could alter outcomes or undermine public confidence in the process.
The legal framework to address breakdowns in the system should adopt procedures and regulations that ensure e-voting can be carried out in an efficient, prompt and trustworthy manner. The framework must also be flexible enough to adapt to future challenges.
Remedial Legislation for Emergencies
The Canada Elections Act provides the Chief Electoral Officer with a high level of discretion to ensure the smooth conduct of elections in the face of unforeseen issues. Section 17.(1) is particularly important, as it gives the Chief Electoral Officer the power to adapt any provisions of the Act in case of "emergency, an unusual or unforeseen circumstance or an error". If problems occur during voting that are not apparent until afterwards, s. 524 gives a court the ability to annul an election if "there were irregularities, fraud or corrupt or illegal practices that affected the result of the election".
Confidence in the legal framework will be increased if democratic debate can validate the procedures taken to respond to a threat, and Canadians can know in advance what steps will be taken to ensure the integrity of the election. Ideally, the legislation should provide some guidance on how the electoral authority should react to certain events, particularly where it may involve delaying or even cancelling e-voting.
One specific issue that is distinctive to e-voting is the potential for denial of service attacks. A denial of service attack is generally caused by a web server being deliberately overloaded by too many simultaneous requests, often the result of a computer virus that remotely controls thousands of computers and creates a heavy traffic load. This may result in a voting website being either slow or virtually inaccessible during an attack. A denial of service attack was the reported cause of delays in voting at the 2012 NDP leadership race, likely worsened by the short window of time allotted to voting.
Holding online voting well in advance of the day of the election is one way to mitigate this risk. This may be supplemented by allowing the electoral authority to temporarily extend the Internet voting period. Section 17.(3) of the Canada Elections Act currently sets conditions for when voting at a polling station may be extended, and a similar provision should exist for electronic voting. To be effective, any extension of e-voting as a result of a major disruption may need to be at least a calendar day to communicate to the electorate and give voters ample time to again attempt to vote.
In Estonia, a plan is in place to fend off potential attacks on the system conducted by foreign entities such as denial of service. In such a case, the electoral authority would block access to the e-voting system to anyone located outside of Estonia with the exception of voting conducted at embassies.
Sometimes it is not only real threats, but perceived or potential threats that can trouble voters, such as the possibility of their vote not having been cast or counted. Both Norway and Estonia permit a voter to cast an electronic ballot numerous times, with only the final ballot being included in the count. Provisions are also in place to allow a voter to cast a paper ballot, at which time all electronic votes cast by that voter are annulled. Without a legislative amendment, electoral authorities in Canada would be arguably unable to implement this change, as s. 7 of the Canada Elections Act prevents an individual from requesting a second ballot once they have already voted.
In the case of a system breach, Estonia's National Electoral Committee has the power to cancel e-voting and authorize voters to revote on election day (Canada-Europe Transatlantic Dialogue 2010). This general authority has been further defined by Estonian Bill 186, which would give the Electoral Committee explicit authority to suspend or terminate the electronic vote and to revoke all or some of the votes. In the case of cancellation of a vote, the legislation mandates that the Electoral Committee must immediately inform all voters who have voted online and make provisions for them to revote.
In Norway, the Data Protection Inspectorate, an independent state agency, implements the Personal Data Act and has authority to stop the election if personal data are improperly handled (OSCE 2012b). Likewise, article R176-3-3 of France's Electoral Code allows the office of electronic voting to permanently or temporarily stop Internet voting if its integrity, secrecy or accessibility is no longer guaranteed.
Lastly, if a serious vulnerability ever surfaces, a decision would have to be made as to whether to stop the online voting and whether the integrity of currently cast votes would be able to be maintained.
The electoral authority should establish protocols for determining if and when to shut down e-voting, under what conditions to extend voting and what plans are in place to ensure the integrity of the vote in case of a breakdown. Ideally, legislation should be amended to give the electoral authority explicit authority to cancel or terminate votes, as well as ensure that voters who cast their vote online are provided a sufficient opportunity to cast a paper vote in the case of any concern with the e-voting system.
Legal Status of Invalid Votes
In Norway's 2011 election, seven votes that were cast electronically returned erroneous results for unknown reasons. It is hard to determine sometimes whether this is an error in transmission or encryption, or whether it was an intentional effort by someone with the technical savvy to submit a digitally spoiled ballot. The Organization for Security and Co-operation in Europe thus recommends that a clear criterion be established in the electoral framework to determine the status of corrupted ballots and that procedures are updated to ensure timely detection thereof (OSCE 2012b). In Estonia, one invalid vote was submitted, but Estonian authorities did not undertake a comprehensive investigation to determine whether it was accidental or intentional, fearing it would create a negative precedent on breaking the secrecy of votes (Heiberg et al. 2011). Nonetheless, the legal uncertainty regarding corrupted votes has prompted legislative changes. New legislation in Estonia, Bill 186, treats all irregular votes as invalid.
For Canada, the legislation itself may need to define whether such erroneous ballots are presumed spoiled ballots or irregularities. The importance is not trivial, since irregularities under s. 524 of the Canada Elections Act would potentially lead to an election being overturned, whereas spoiled ballots would typically be excluded from the final count. The onus would be on those contesting the election to show an irregularity existed, but this may require technical experts to testify, which may exacerbate the tension that already exists "between allowing an application to contest an election on the basis of irregularities and the need for a prompt, final resolution of election outcomes" (Opitz v. Wrzesnewskyj, paragraph 47).
The current Canada Elections Act requires a judge conducting a recount to reject votes that have been marked in a way that contravenes the Act, but the legal status of digitally transmitted ballots may be unclear, as the Act does not address digital markings. The Canada Elections Act should be amended to provide more specific guidance than it currently does on whether an irregular electronically cast vote is invalid or may be considered an irregularity.
The Council of Europe recommends that recounts be permitted. Currently s. 300 of the Canada Elections Act mandates that recounts happen in races where the margin of victory is less than 0.1 percent of the votes cast.
At least one Canadian jurisdiction has procedures for a recount when e-voting has occurred. Halifax prescribes that for a recount, the original file containing the encrypted votes is to be verified by an independent third-party expert and a judge then de-encrypts the votes and ensures that the total matched (Canada–Europe Transatlantic Dialogue 2010).
It does appear to be a sound general concept that whenever an official recount is conducted where e-voting was used, an expert third party should be available to assist the judge to verify technical issues, in addition perhaps to scrutineers from candidates who may also review the data. The Canada Elections Act currently allows a judge to retain support staff to assist in a recount. An independent technical expert can provide confidence that the counting is correct and that no data have been manipulated.
With voting machines in a controlled environment, it is often recommended that paper verification records be printed to ensure a recount can be conducted. With online voting, paper receipts are less feasible as the data will need to be de-encrypted before receipts can be printed. However, maintaining backups of the voting data on an unalterable medium such as a tape drive may be sufficient. Additionally, it may be possible to calculate and record cryptographic algorithms alongside voting data that can be used to validate the integrity of the stored results. These mathematical constructs would provide a reliable level of certainty as to whether any electronic records have been accidentally or intentionally altered.
From a practical perspective, Parliament may wish to change the Canada Elections Act to exclude e-votes from the automatic recount provisions triggered by close election results. The rationale for automatic recounts is to ensure counting errors or misplaced ballot boxes do not affect close results. Those same concerns with human tabulation errors do not apply to e-voting. Requiring every judicial recount to independently verify e-votes without further evidence of irregularities or fraud may be inefficient and unnecessary. Ideally, it should be within the discretion of a judge whether it is necessary to independently verify the e-voting results. Similarly, anyone with concerns over the validity of e-voting could apply under s. 524 if there is concern with fraud or irregularities.
The legal framework for handling recounts should involve a combination of legislative amendments as well as regulations created by the electoral authority. The legislation should define under what circumstances e-votes should be recounted and require the electoral authority to create detailed regulations describing how a recount will be conducted. The electoral authority may require some flexibility in determining recount procedures, since the exact procedures will depend on the e-voting technology.
Planning for a High Level of Availability
The legal framework should require that electoral authorities develop a comprehensive plan to ensure that an e-voting infrastructure can withstand natural disasters as well as attacks. Electronic voting systems are required to be available at all times during an election, and they must be capable of withstanding attacks to both software as well as hardware. The security of a voting system needs to be considered in regard to how it isolates and reacts to failure (Alvarez and Hall 2008).
The importance of this is not trivial. The 2011 Breivik terrorist attack in Norway destroyed part of the building that hosted parts of Norway's e-voting system. The system should be designed with no single points of failure: "If failure in one part of an information system can cause failure in other interconnected parts, then the system is susceptible to cascade failure" (Hole and Neglen 2010, 22).
Under a paper-based system, widespread failure in Canada is unlikely because votes are stored and counted in 308 electoral districts, at various polling stations. While it is possible to host electronic voting in each riding, the technical expertise needed to monitor and scrutinize the system may make it unfeasible. It may be possible to have some modularity, such as dividing or replicating servers in various regions. Norway has a decentralized system in which various components of the voting system are stored in physically different locations under the control of various ministries. Geneva's system replicates voting data and saves the information in various locations. Decentralizing increases the amount of resources required to administer the system, but decreases the effectiveness of attempts to disrupt or manipulate electoral systems.
Electoral officials should be required to have full plans covering possible disruption scenarios. The New South Wales auditor report mentioned this as one of the few deficiencies in the state's planning (PricewaterhouseCoopers 2011). The Australian state of Victoria, currently working to deploy Internet voting, has embraced a best practices framework that involves conducting ongoing risk assessments and assessing evolving risks. The system must be deployed using failure-critical engineering practices that are auditable and transparent (Buckland and Wen 2012).
Currently, the Chief Information Officer Branch of the Treasury Board of Canada Secretariat has a number of guidelines on security available that could assist electoral authorities in developing a risk management plan. Such a plan should be tailored for the particularities of electronic voting, including high availability, absolutely no data loss or manipulation and the need to adjust to ongoing risks and other threats.
A clear disaster recovery plan should be created by electoral officials and updated before each election. They should ensure the system is fully redundant and modular where possible. Important data, such as stored votes, should be required to be stored in duplicate. All known risks must be identified.
In addition to an internal plan to maintain the high reliability of an e-voting system, it is important that the legal framework provide the electoral authority the tools to collaborate with other government departments as well as third parties such as Internet service providers.
One of the key aspects of Estonia's success is that it has a highly integrated election process. Accessibility and authentication is very high because of the use of an integrated national ID card, which Estonians use for common tasks, including government services and even transit (Martens 2010). The use of the national ID card enhances voters' familiarity with the card and provides more confidence in the security measures when they use it to vote.
A second reason for the success in Estonia is the high level of co-operation in the protection of telecommunications infrastructure. As a response to an earlier attack on government infrastructure, Estonia now brings together telecommunications companies, IT staff and specialists from across the government to respond to any sort of threat. The National Electoral Committee, volunteers from an organization called the Estonian Defence League's Cyber Unit and others actively monitor Estonian web traffic for potential attacks or malware (Heiberg et al. 2011). Estonia has plans in place to disallow access to voting systems from outside of Estonia in case of a cyber-attack, allowing traffic from only embassies and trusted locations. The Organization for Security and Co-operation in Europe's report on Norway recommended that authorities collaborate with relevant agencies to provide monitoring and security during future elections (OSCE 2012b).
Canada's cyber security strategy in concept appears to recognize the need to bring together government institutions and the private sector to combat cyber security threats. However, this needs to be formalized for the specific risks that surface during an election to ensure that collective resources are brought together and are on standby 24/7 during the online voting period.
Electoral authorities should work closely with the Government of Canada's Computer Incident Response Team, computer security companies and Internet service providers to provide measures to check computers for viruses or potential malware that could affect computers used for voting, look out for systematic attacks and develop plans to combat possible electoral threats.
Summary of Recommendations
The Canada Elections Act contains some remedial language for reacting to worst-case scenarios, such as allowing the Chief Electoral Officer to adapt the Act in response to an "emergency, an unusual or unforeseen circumstance or an error" (s. 17.(1)) and permitting a judge to order a revote. Confidence in the e-voting legal framework will be increased if remedial contingencies for known electronic risks are included in legislation and clear disaster plans are implemented to detect and react to problems. The legal framework should ensure legislative certainty and finality of the results. We recommend:
- Clear procedures should be created, preferably in the Canada Elections Act, for cancelling electronic voting, notifying voters and allowing recasting of votes if privacy, security or integrity has been unacceptably compromised.
- The Act should list conditions under which officials may temporarily expand the online voting period if service is interrupted for more than a determined time.
- Requirements in the Act and regulations should be in place on how to treat invalid votes and other irregularities.
- Regulations should detail how electronic votes are handled during a recount, although we recommend that the Act provide judges with increased discretion as to whether e-votes should be recounted in the case of a close election result.
- A clear disaster recovery plan covering all known risks of disruption should be produced before each election.
- The government should ensure that a technical response team, including leading Internet service providers, other departments, and anti-virus and securities vendors, is formed to identify and respond to potential threats during an election.
Voting over the Internet provides new opportunities for individuals intending to disrupt or influence an election. While a system should be inherently secure, disincentives such as fines or imprisonment can be used to discourage fraud and other activities. The legal framework should ensure that foreseeable activities are prohibited. Only Parliament can create criminal offences, and legislative changes will have to be made to ensure that electoral offences cover Internet and electronic threats.
Influence while E-voting
Internet voting, similar to voting by mail, is potentially susceptible to coercion or vote buying when the voting occurs in an uncontrolled environment. The current election law requires anyone assisting another in casting a vote to mark the ballot as the elector intended and refrain from attempting to influence the voter in choosing a candidate (Canada Elections Act, s. 155). These provisions are broad enough that they should cover those attempting to influence a voter casting their ballot over the Internet. Parliament, out of an abundance of caution, may wish to add a provision to the Canada Elections Act to specifically make it an offence to influence a voter casting their ballot electronically.
Some jurisdictions have provisions to ensure that the design of e-voting software does not influence voters by benefiting one candidate over another. Switzerland's federal ordinance on political rights prohibits misleading or manipulative messages on a voting website (article 27e). The Canada Elections Act currently includes standards for ballot design. It may be possible to include the design of the e-voting ballots in the legal framework or require an e-voting software to randomize the order of names, although this is likely best left to the electoral authorities based on the capacity of the voting technology.
The Canada Elections Act makes it an offence for voters to show their ballot to prove how they have voted (s. 164(2)b). For the purpose of clarity, an amendment to the section could be made to ensure that it is also an offence to show reproductions (such as a video) of casting a ballot. Electoral authorities may also wish to have the voting software warn voters of any such offence. On the other hand, with the rise of social networks and photo sharing software, it may be futile to prevent individuals from sharing which candidate they voted for. A better solution may be to follow Estonia, which allows voters to change their vote online or by voting in person, thus rendering reproductions of a vote meaningless because the reproduction might not reflect the final vote.
The current punishment under the Canada Elections Act for offences under subsection 164(2) is imprisonment for up to three months in jail or a maximum fine of $1,000 or both. Halifax's bylaw sets a higher $10,000 for influencing a voter in a municipal election.
We recommend that the Act impose a higher punishment for attempting to influence a person e-voting.
Secrecy of Electronic Ballots
Current law requires election officers, candidates and candidate representatives to maintain the secrecy of the vote (Canada Elections Act, s. 164). Furthermore, anyone assisting another in casting a vote is prohibited from disclosing how that person voted (s. 155). Section 164, however, does not refer to technical staff or vendors who potentially have access to voting data.
New South Wales introduced a provision aimed at e-voting whereby any person who becomes aware of how an eligible voter voted is not to disclose it (Parliamentary Electorates and Elections Act 1912, s. 120AG(1)). The law requires any technical staff or individuals working on the system to sign a form acknowledging that they are aware of the offence.
Another area of concern regarding the secrecy of the vote is that some workplaces and computers may have software installed that allows systems administrators to observe computer activity, including for legitimate purposes such as providing technical support. Reasonable steps, including warnings, should be taken to protect a voter's privacy in this regard.
We recommend that Parliament broaden s. 164 of the Canada Elections Act to ensure that individuals such as third-party contractors or companies monitoring workplace computers maintain the secrecy of the vote and take reasonable steps to ensure they do not accidentally observe someone voting using a monitored computer.
Hacking or Disrupting the E-voting System
Electronic voting is more vulnerable than traditional voting to widespread, systematic attacks. The most common threats are those actually attempting to break into the system, as well as "denial of service" attacks (as mentioned above) that try to discourage people from voting by overloading servers with fake requests.
Traditional offences under the Canada Elections Act include the use of forged ballots, ballot box stuffing and ballot destruction (s. 167). The maximum penalty for violating s. 167 on conviction on indictment is a $5,000 fine, five years in prison, or both.
Prior to using Internet voting, New South Wales created a specific offence with a fine or imprisonment for up three years, or both:
A person must not, without reasonable excuse, destroy or interfere with any computer program, data file or electronic device used, or intended to be used, by the Electoral Commissioner for or in connection with technology assisted voting. (Parliamentary Electorates and Elections Act 1912, s. 120AI)
It should be an electoral offence either to interfere or attempt to interfere with any software or hardware used for electronic voting, enforced with severe fines and potential for imprisonment. Electoral officials should create regulations and policies to facilitate legitimate testing of electoral technology.
Spoofing and Misinformation
One of the concerns with e-voting is that "spoof" voting websites or emails that pretend to originate from Elections Canada may confuse voters and potentially mislead them into thinking they voted.
Current electoral law in Canada prohibits printing a ballot or what purports to be a ballot at an election with the intention of causing the reception of a vote that should not have been cast or the non-reception of a vote that should have been cast. The manufacture of ballot boxes with hidden compartments is also prohibited (Canada Elections Act, s. 126).
There is currently no offence for creating a fake voting site. It would undermine the confidence in the electoral system if individuals were able to create fake voting sites or to knowingly distribute links to such sites with the intention of misleading voters.
It should be an electoral offence to wilfully create or distribute to the public communications including websites that may mislead voters. Election officials may also consider providing a method for voters to confirm their votes were counted.
Submitting Corrupted Ballots
Someone intent on disrupting an election may not need to actually affect a vote, but may attempt to create the perception that there is a problem with the voting system. For example, one of the concerns is that it may be possible for a voter to knowingly alter a voting program on their computer to submit a false voting result. Similar to spoiling a ballot, it is possible for sophisticated computer users to alter their ballot so that it may be unreadable by vote tabulation software. It is foreseeable that a piece of software may be distributed alongside an election, potentially resulting in numerous erroneous ballots. Section 167(2) of the Canada Elections Act makes it an offence to alter, deface or destroy a ballot or put a ballot into the box other than prescribed by the Act.
Our research did not identify legislation elsewhere that treats knowingly submitting a corrupted ballot over the Internet as an offence. A court in Estonia ruled that a voter who intentionally corrupted his ballot was not entitled to challenge the voting results, but there was no deterrent available to prevent him from submitting fake ballots in the first place.
Whether or not this should be an offence is debatable. Some may argue that the right to spoil one's ballot is a form of freedom of expression, and in addition the right to a secret ballot makes it very difficult to prove electoral offences without violating the secrecy of the vote. Others may argue that any action designed to undermine voter confidence in an election is a reasonable limit. This may include distributing software designed to help voters create a corrupted vote.
As long as it remains an offence to submit a spoiled ballot, even if it generally is impossible to enforce, the Canada Elections Act should be adapted to apply to a wilfully corrupted electronic vote.
Unauthorized Disclosure of Source Code
In section 0 of this paper, we recommended that electoral administrators implement a framework by which scrutineers, academics or other observers may be given access to the source code of the voting system. If a decision is made to not publicly distribute the source code, disclosure could be prevented by either contractual or legal measures. Estonia uses non-disclosure agreements to protect its source code. New South Wales, on the other hand, has a specific provision prohibiting the release of source code or software lists unless done under an authorized procedure. The latter makes it easier to modify terms of disclosure or create policy provisions governing the disclosure.
It should be an electoral offence to publicly distribute source code or other proprietary election information not being in accordance with authorized procedures. The Chief Electoral Officer or an authorized entity should create subordinate regulations or procedures to govern access and disclosure.
Summary of Recommendations
The Canada Elections Act contains a list of offences, cast in general terms, that may not be sufficiently broad or clear with respect to conduct that specifically concerns e-voting. In order to ensure legislative certainty and discourage disruptions to the electoral system, legislation should be passed to forbid attempts to abuse the e-vote system. Additionally, the potential for creating widespread voter fraud affecting multiple electoral districts should be taken into consideration in determining appropriate sentences or fines. We recommend:
- Fines and penalties associated with voting offences, including influencing the vote, should be increased.
- The Canada Elections Act should make it an offence for all technical support staff, vendors and anyone who may have access to the system to violate the secrecy of the vote.
- Employers (and others) who use screen capture technology or other methods to observe their computers should be required to take reasonable steps to ensure the secrecy of the vote, including alerting employees.
- Stiff penalties and specific offences should be created for attempts to systematically affect the vote, including disrupting election servers, manufacturing vote-altering software and interfering unlawfully with any electronic voting equipment.
- The Act should ban wilful creation, promotion and linking to spoof election sites that could lead someone to wrongly think that they have voted.
- The Act should make it an offence to wilfully corrupt and submit an e-vote.
- Legislation should prevent unauthorized disclosure of e-voting source code.
Technological Standards and Consultation
One of the challenges with formulating a legal framework for e-voting is that the framework needs to be flexible enough to adapt to improvements in technology, while meeting minimum standards such as ensuring the integrity of the vote, protecting voters' secrecy and responding to disasters. The framework should require that a technologically robust solution be in place before an electronic voting system is used in a real election.
While electoral legislation may set minimum standards, most of the practical technological decisions are best left to the discretion of the electoral authority, and contained in regulations, requests for proposals, technical plans and other administrative documents. Generally, the legal framework should be technologically neutral so as to ensure the best technology available can be chosen. However, with certain technological choices, there may be a need for a broader consultative process built into the framework or even specific legislative choices made by Parliament.
Requests for Proposals and Consultation
While the electoral authority may determine many of the technological standards, the legal framework should require a broad level of technical consultation before the final e-voting solution is determined. The consultation should provide an opportunity to create contractually binding requirements that can be scrutinized by the public prior to implementing e-voting. There are two primary ways in which the technical consultation can occur.
Consultation can occur prior to finalizing the technical specifications. Estonia, as one of the early leaders in e-voting, undertook a series of consultative efforts before developing the software. Estonia originally developed its system primarily in-house with the assistance of third-party software developers, but based it on detailed technical reports, threat assessments and requirements that were formed in collaboration with academics, experts and political parties. The resulting technical documents contained many specific design elements, security requirements and procedural standards (Estonian National Electoral Committee 2004). The National Electoral Committee uses these as the basis for auditing the system to ensure compliance.
A second way of conducting consultation is to incorporate consultation directly into the request for proposal and bidding process before choosing a software developer to create the e-voting system. This was the process undertaken by Norway. Prior to issuing a formal request for proposal, Norway's electoral authority initiated a six-month competitive dialogue with companies and consortiums to improve project specification before leading to a full tender (OSCE 2012b). As a result, software developers and the public were able to provide feedback on the detailed technical requirements. A technical specifications document is publicly available (Norwegian Ministry of Local Government and Regional Development 2009).
Whether the e-voting system is developed in-house or sent out to tender in a competitive bidding process, the legal framework should require a transparent consultation process before the technological specifications are finalized.
Permitting Voters to Recast Ballots
While many implementations of e-voting are generally very similar, there are certain key technological choices that should be debated by Parliament before they are adopted in the legal framework. One of these is whether to allow voters to change or update their vote once it has been cast online.
In Estonia, voters may submit more than one e-vote, with the system designed to count only the final vote. Earlier votes by the same voter would be purged before votes were unencrypted to ensure the privacy of each ballot. Voters who are concerned that their computer may have been hacked can revote, as can someone who felt pressure to vote a certain way. Voters can also override their vote by voting in person at an advance poll.
Vote updating is seen as a measure to establish trust regarding the integrity of a published result (Volkamer et al. 2011). This would likely require a change of the Canada Elections Act. Additionally, the software must be able to purge redundant votes. Overriding a previous vote could be done unlimited times, as in Norway and Estonia, or conditions may be in place to do so only once at an elections office.
While vote updating is a valuable tool that can be used to alleviate concerns with vote buying or computer problems, it would be a new concept in a Canadian election. As such, there may concerns with whether voters who vote online are given an advantage over voters who vote by paper.
While vote updating may raise concerns with whether voters are treated equally, a court in Estonia found that vote updating was a legitimate infringement on the right to equality. A legal challenge was submitted to Estonia's Supreme Court on the grounds that there was a principle of uniformity that was violated if electronic voters could cast a ballot more than once (Constitutional Judgement 3-4-1-13-05). The president argued that the constitution required votes be cast only once and that every voter be given an equal opportunity, and as such not all voters had the opportunity to change their vote. The court rejected the principle of absolute equality, finding that modernization of electoral processes was a legitimate infringement of the right to equality and principle of equality (paragraph 26). The court found that vote updating was an appropriate means to protect the freedom of elections and secrecy of voting against outside influences, which previously was guaranteed through the privacy of a polling station (paragraph 32).
In our opinion, voter confidence in Canada would be increased if the legal framework could permit voters who cast their ballot online to update their vote either online or in person at a poll. However, this should be debated further by Parliament.
Receipts and Voter Verification
A second technological choice that requires more extensive debate and consultation is whether voters should be permitted to verify that their vote counted. Not every jurisdiction permits voters to verify their vote, and new methods of verification are emerging. The legal framework may have to be adapted in order to accommodate this. The primary method used to allow voters to verify their vote is through the use of a voter receipt. A voter receipt is a code confirming to a voter that their vote has been counted and, in some cases, demonstrates a vote has not been manipulated. The voter receipt would remain private unless the voter chose to share it. Some require cryptograph proofs to connect it to a vote.
There is currently no functional equivalent to a voter receipt in Canada, as a paper-based system cannot ascertain whether a vote was accurately counted or spoiled, although it does allow for recounts. This was a major issue in the 1995 Quebec referendum, when it was found that in some polling districts in non-francophone ridings over 50 percent of the ballots were rejected (Shaffer 2008).
Voter receipts are a confidence measure designed to assure voters the system has worked, although it is unclear what the remedy would be if a voter claimed the vote in the system did not reflect the one they cast.Footnote 11
Whether a voter receipt is valuable or necessary is debated. Depending on how a voter receipt is designed, it may allow voters to prove how they voted, which may open the door to vote buying. Some have claimed receipts provide a false sense of verification (Open Rights Group 2007). Others claim they are necessary to create an audit trail that is verifiable (Goldsmith 2011). Some systems allow a voter to confirm their vote on the final tally, although there is a risk that this could be used by voters who sell their votes to prove how they voted.
A 2006 Dutch election provided voters with a candidate code they entered in voting, and a technical code that they later received. With both pieces of information, a voter could confirm how they voted. The election authorities "effectively opted to surrender protection against coercion of a voter in favour of greater transparency" (OSCE 2006, 15).
Norway, in order to provide end-to-end verifiability, created a system where a voter received a secret return code via text message after voting so they could verify their vote was counted as cast, although this was not provided in the final count (OSCE 2012b). Alternative means have also been tried to allow voters to verify their vote. Swindon, one of the English municipalities experimenting with Internet voting, allowed voters to enter a secret word that could be cryptographically connected to their vote (Open Rights Group 2007).
Estonia did not allow receipts in any of the previous elections, although Bill 186 proposes to allow voters to verify that their vote has been cast in future elections.
A voter receipt is one of the areas where there is a potential for values to conflict, possibly pitting having a transparent and verifiable election against the absolute secrecy of a ballot. At this early stage, this may be an area that deserves more public consultation. We recommend that the Canada Elections Act allow, although not require, election authorities to issue regulations detailing how voters can confirm their vote is counted.
Casting Blank Ballots
One of main differences between a paper ballot and an e-vote is that under a paper system, voters can easily reject or spoil their ballot. Whether the legal framework for e-voting should allow voters to spoil their ballot will likely need further debate and consultation.
One of the advantages of Internet voting is that it eliminates the subjective role of returning officers in rejecting spoiled ballots that may have been accidentally or intentionally marked in a non-prescribed way. This, however, may not satisfy those who reject or spoil their ballots in protest.
The Council of Europe recommends that the "e-voting system shall provide the voter with a means of participating in an election or referendum without the voter exercising a preference for any of the voting options, for example, by casting a blank vote" (COE 2005, 10).
Not all implementations have permitted this. Estonia's voting software did not provide the option to cast an empty or blank ballot (Heiberg et al. 2011). On the other hand, Norway provides the option to cast a blank vote at the end of a ballot (Barrat i Esteve et al. 2012c). Halifax's request for proposal for potential e-voting vendors also mandated that the process include an option to provide a blank vote.
It is possible that a future court in Canada could find that the constitutional right to vote includes the right to cast a blank ballot; however, the current jurisprudence does not appear to be determinative. At the very least, the failure to provide voters an option to cast a blank ballot may serve as an incentive for individuals to attempt to use technological means to submit corrupted votes.
While more debate may be warranted, we would recommend that the legal framework permit the electronic voting system to record intentionally blank or spoiled ballots.
Summary of Recommendations
The legal framework for e-voting should give the electoral authority a high degree of flexibility to choose the most secure technology, work on cost-effective solutions and deliver accurate results. Legislation should generally be permissive to allow new technology as long as it is secure, accurate and protects voter anonymity. A consultative process may be set up to ensure that the best technology is chosen. However, the choice of technology may also depend on certain functionality and features that may require trade-offs, such as between transparency and absolute secrecy. In those circumstances, legislative amendments and parliamentary discussion may be required. We recommend:
- A transparent consultation process should be in place before technological standards or requests for proposals are formalized.
- Parliament should discuss allowing voters to update or recast their e-ballot.
- Officials should be permitted to introduce additional technology, including voter receipts or advanced authentication methods, if they are satisfied that it will increase integrity without disproportionally affecting the privacy of the voter.
- Voters should be permitted to cast a blank ballot.
Testing and the Integrity of the Vote
Public confidence in e-voting will depend on what measures are taken to ensure that votes are accurately recorded, transmitted, received and counted. While there is legally a presumption of regularity in elections in Canada (Opitz v. Wrzesnewskyj), the less transparent nature of elections conducted using distance technologies likely means that the public will not be easily satisfied with a mere presumption of evidence, rather than solid evidence that the system is working properly. The legal framework should ensure there are credible and transparent measures in place to verify and document that the e-voting system is working properly.
Pre-deployment Testing and Implementation
In pilot projects conducted in England, one of the biggest criticisms was that local authorities allowed only six months between deciding to conduct a pilot project and election day. This did not allow sufficient time for planning and testing the e-voting solution (Electoral Commission 2007a).
It is important that any testing, if open to the public, be conducted only when full security measures and functionality are in place to avoid creating confusion or any impression that the final system may be flawed (Volkamer et al. 2011). An example often used by those who oppose Internet voting is an attempt to use Internet voting for an election in Washington, DC. Organizers challenged the public to attempt to hack into the system, which was successfully done by a team from the University of Michigan. The team managed not only to alter the votes, but also manipulate the system and even accessed video cameras located on the same computer network (Wolchuk et al. 2012). The system was not a typical Internet-based voting system where a user logged into a website to vote, but was designed so voters could upload a ballot they filled out in Adobe Acrobat to the server. The hackers found that by changing the file name, they could run system commands and the administrators had not even changed the default system passwords. While an independent security review may have identified many of these problems, the public release of a pre-election test proved to undermine public confidence and Washington did not proceed with Internet voting.
Where jurisdictions have implemented extensive pre-election testing by independent experts, the elections have gone far more smoothly. New South Wales had an independent auditor perform penetration tests, programming code testing, cryptographic testing and infrastructure security tests before the system was permitted to go live. The New South Wales auditor, however, recommended that the regulations require clear criteria for tests to be conducted before a system is used in a real election (PricewaterhouseCoopers 2011).
In order to ensure that an e-voting system is secure, the legal framework should require the electoral authority to establish a set of procedures and tests that must be completed before a system is able to go live. These procedures should be updated before each election to ensure that the system is protected against new threats or vulnerabilities.
Accessibility and Usability Testing
One of the rationales behind using Internet voting is accessibility. The legal framework should require accessibility and usability tests to be conducted before each election. For best results, users, including those with disabilities, should be involved in both the design as well as testing of the equipment (Goldsmith 2011).
One of the common usability recommendations is that voters should have the ability to interrupt their voting prior to submitting their ballot and continue at a later time. A voter should also know clearly if a vote has actually been submitted by the system and received by the election authorities, and there should be no ambiguous steps in the process.
Also, the importance of proper instructions cannot be overstated. An election in Finland using controlled e-voting was annulled after a high number of electronic ballots were never submitted due to erroneous instructions that did not instruct a voter to keep their voting card inserted until after a final confirmation screen was shown. An administrative court ruled that instructions that were sent to voters did not clearly state that a secondary confirmation screen had to be clicked and the court ordered the election to be repeated (KHO:2009:39).
Sufficient usability tests are needed to ensure no one is accidentally disenfranchised. Accessibility should not be an afterthought, as it may also be related to security features. The less secure and controlled, the more accessible a system may be (Goodman et al. 2010).
Prior to use in a general election, extensive tests involving disabled voters, seniors and non-technical voters should be conducted using the voting system to ensure usability. The electoral authority should create procedures outlining how it will conduct these tests.
Physical Security Requirements
The legal framework should include provisions for physical security. This may include stating who has access to server equipment and under what conditions during elections. The general concept should include at least a two-person rule, where at least two individuals must be present to access any hardware or system component during an election or to make a software change (Electronic Frontier Finland 2009).
There are a variety of security measures and regulations. In the Indian state of Gujarat, regulations require that three smart card holders be responsible for starting and stopping the polls, and the data centre must be physically unplugged from the Internet prior to the beginning of voting (Urban Development and Urban Housing Department Orders).
Norway increases physical security by dividing critical elements among various governmental departments to ensure that system components are isolated from manipulation. Estonia has two government departments overseeing security and an auditor is present during the election to observe compliance (Electronic Frontier Finland 2009). Estonia also videotapes all system activity, as an added security measure, so that any unauthorized physical access to the system can be identified.
The regulations should detail steps to ensure that physical equipment is secure and to ensure that no individual can make unilateral modification to the servers or software during an election.
Permanent and Auditable Record Requirements
One of the primary arguments in favour of using only paper ballots is that physical records exist and they are harder to manipulate. The legal framework should require an equivalent ability to ensure e-voting records are not manipulated.
The discussion regarding voting in a controlled environment often leads to mandating paper receipts that can be counted afterwards. In the United States, there is a requirement that voting machines print a paper copy as an audit record, although this practice is not always reliable, as some machines leave a paper receipt but do not provide voters with the ability to verify it (Jones and Simons 2012).
Paper backups in an Internet system are not common, since the votes could be modified before they are printed. New South Wales requires printed copies of each vote, although they are printed at the close of online voting.
While a paper record is an easy means of preserving audibility, cryptograph verification may allow third parties to develop auditing mechanisms that are just as good or better (Alvarez and Hall 2008). Cryptograph logs make it nearly impossible to alter a record, as a math formula ensures that no data have changed.
Various countries use different methods of creating an unalterable record. Estonia backs up its voting data on tapes, which unlike hard drives cannot be rewritten (Martens 2012). Geneva, Switzerland, uses multiple servers and storage to prevent unauthorized manipulation, storing each vote cast on three different servers to protect against loss or potential manipulation of data (Chevallier et al. 2006).
Technical measures should be put in place to record all voting-related activity, including threats, disruptions, system failures, votes cast and invalid votes. It is important that the records be treated as a critical system, and like the votes, be incapable of alteration. This could involve writing logs directly to unalterable tape systems or using cryptographic technology to encrypt log files.
The legal framework should require that an auditable and unalterable record be produced, but the exact format should not be restrictively prescribed, as to allow flexible uses of technology to ensure the integrity of the ballot.
Verification of Results and Auditing Procedures
The Canada Elections Act already requires post-election reports be provided to Parliament and also mandates recounts in close contests, as discussed earlier. However, as online voting is fairly new and voter confidence in the system may be tentative, additional auditing and verification procedures may be incorporated into the legal framework to increase voter confidence.
Many jurisdictions require some form of audit to be released after an election, in addition to preliminary security, although the exact form and nature is often open. Estonia has an outside auditor conduct a procedural audit, to report whether IT staff and others have followed the procedures. New South Wales election law (Parliamentary Electorates and Elections Act 1912, s. 120AD) requires test votes to be tested and audited. Switzerland requires its system to be auditable as well.
The Council of Europe recommendations include ensuring the system maintains an accurate time source so that audit trails and observation data can be subsequently examined (COE 2005, recommendation 84). The Council also recommends that auditing information not be disclosed to unauthorized individuals and that all auditing steps taken be capable of preserving voter anonymity (COE 2005, recommendations 105 and 106). The rationale for this is that while primary security features should be made public to ensure confidence, secondary auditing procedures may be more secretive to make it more difficult for a potential hacker to avoid detection. It may even be prudent to have the auditing and recording technology designed by a different entity than those that develop the voting technology.
We recommend that sufficient auditing procedures be required to be conducted regardless of whether or not there is evidence of mischief. Some of the technical details of how they work may not be fully disclosed to the general public so as to make it more difficult for hackers to avoid detection.
Destruction of Voting Data
Electronic votes using cryptographic technology are highly secure and could take years to break without de-encryption keys. However, it is still foreseeable that the data could eventually be de-encrypted if the voting records were retained. The legal framework should require comprehensive regulatory procedures describing how voting data will be destroyed, as well as a time period for the retention. There was some criticism in an English municipal election because the data were kept on suppliers' servers for nearly a year after the vote (Open Rights Group 2007).
Estonia goes further than just stipulating that the data must be deleted. The country has internal procedures in place to physically destroy all media (such as hard drives or tapes) on which voting data are stored once the period for election appeals has ended (Martens 2012). Additionally, as with other procedures, an auditor is present to ensure compliance (Heiberg et al. 2011). Draft legislation (Bill 186) in Estonia proposes mandating the destruction of all election data within a month of an election, but not prior to the exhaustion of all appeals before the courts.
The legal framework should require the electoral authority to fully destroy any electoral data after a fixed period, once all rights to recounts or appeal of election results have occurred. The regulations should also require appropriate oversight to ensure that the data retention and destruction procedures are fully complied with.
Summary of Recommendations
To ensure the votes are accurate and the e-voting system is secure, the legal framework should require extensive testing at all stages and specific security steps. Ideally, minimum requirements would be in legislation and the electoral authority would be tasked to create detailed regulations and procedures. We recommend:
- Regulations should clearly describe the tests that ought to be conducted prior to e-voting deployment.
- Tests of the software should be completed to ensure it is accessible and usable. Disabled voters, seniors and other groups should be involved in the testing.
- Regulations should require that physical security measures be in place to ensure the integrity of all equipment and prevent unauthorized access during an election.
- Legislation should require auditable and unalterable records of voting activity, threats, disruptions and system activity. The electoral authority could create procedures that include unalterable tape backup and cryptographic encryption of logs.
- Sufficient auditing procedures should be required post-election, even if some details of the audits remain confidential.
- Procedures and timelines should be prescribed for destroying all voting data once all appeals are exhausted.
Many of the considerations for developing a legal framework required to implement e-voting in an uncontrolled environment apply to e-voting in a controlled environment. In both cases, there should be strong requirements for security and integrity of the vote, and the Canada Elections Act should be amended to cover offences such as hacking.
Generally, when voting is used in a controlled environment, concerns will arise with storing and testing the individual equipment, since each terminal could be subject to manipulation or malfunction, and a single faulty terminal could unknowingly affect the results of a number of voters. In Canada, where a voter generally only has to mark one choice (rather than vote in races for many different offices or rank candidates in order), the incremental value of controlled e-voting as opposed to paper balloting at an official station would be quite limited, whereas the cost per polling station would be much higher. Controlled e-voting machines can be expensive to purchase, and can also be expensive to securely store. As such, we cannot generally recommend a broad usage of controlled voting, particularly if it was to be used as an alternative to paper-based voting on election day as is done in some US jurisdictions and countries such as Brazil, India and Venezuela.
While we have focused the bulk of this report on Internet voting, we can envision some limited uses of controlled e-voting.
Uses of Controlled E-voting
Technically, a controlled environment for e-voting would include any computer or device provided and maintained by the electoral authority. This could include assisted voting devices as were tested in a recent Winnipeg North by-election, as well as computer stations that may be set up by the electoral authority to allow voters to use Internet voting.
In the United States, the Help America Vote Act of 2002 mandated that every polling station have at least once one direct-recording electronic (DRE) device at every polling station. This provision is supposed to help voters with disabilities navigate the complex US ballots. A DRE is essentially a stand-alone electronic device that produces a paper receipt documenting how voters vote. Each state is able to independently set its own technological requirements, although many states follow the Voluntary Voting System Guidelines, recommended by the US Election Assistance Commission (US EAC 2005). The Voluntary Voting System Guidelines provide very useful standards on how to ensure that the controlled voting systems are secure and also minimal standards of accessibility for disabled voters. For any electoral authority planning on rolling out controlled voting for use at a poll, the Voluntary Voting System Guidelines should be an essential resource.
While specialized voting kiosks could be used to assist visually impaired or other disabled voters who want to cast their vote without relying on a third party, the high cost of running the tests in Winnipeg North do not make this the most efficient way to accommodate disabilities. Alternatively, an Internet voting system can accommodate most disabled voters without requiring these voters to come to a polling station.
On the other hand, the electoral authority may wish under certain circumstances to maintain an Internet-connected computer that could also be classified as a controlled e-voting machine. While these may function in the same way as a home computer, the legal framework would have to take into account that multiple voters would be using the same system, and as such any fraud or manipulation of the device could affect numerous voters. The electoral authority would be liable for ensuring the integrity of these computers.
There are a few examples of using controlled voting in combination with an Internet vote. For instance, the Australian military used e-voting for a limited test run in 2007, which was used on special voting terminals for military voters, but was discontinued due to the high cost of the system versus the low number of potential users (Australian Electoral Commission 2008). The Indian state of Gujarat also used limited kiosks for e-voting alongside remote voting, but very little academic literature has emerged from this experience.
The electoral authority in Canada may wish to maintain a limited number of controlled voting stations to use in special contexts. These could be used as an alternative for some special ballots, for absentee voters who have limited access to mail or for voting that takes place in locations that are secure and controlled. The two most obvious groups of users would be military voters deployed abroad as well as eligible voters in penitentiaries. Both of these groups may have limited access to their own Internet-connected computer, and so a number of voters may need to share a terminal.
Other possible locations for controlled e-voting are Canadian embassies, high commissions and consulates located abroad. This may be essential in countries where an embassy may be the only location where encrypted votes could pass a national firewall.
Domestically, the electoral authority may wish to set up an e-voting terminal in areas where there may be a high proportion of out-of-district or absentee voters. Possible locations include universities where students who live on or near campus may be eligible to vote for candidates in their home riding. Additionally, many voters who are out of district may choose to vote at any time at any returning officer's office.
For disabled or homebound voters without Internet access, there is the potential that an elections official would bring a cellular or satellite connected portable computer to their homes to assist with voting. This is already allowed in conjunction with paper ballots under s. 243(1) of the Canada Elections Act. An amendment to allow a voter to opt for similar assistance using e-voting may be considered.
In order to maximize the potential of any Internet voting in a controlled environment, the electoral authority may choose to provide voters the ability to register for e-voting at the location. For instance, a deputy returning officer or authorized official could check ID and authorize an e-voting account.
Provisions should be added to the Canada Elections Act to accommodate limited usages of Internet voting in a controlled voting environment.
Testing Controlled E-voting Devices
In order to use Internet voting in a controlled environment, the legal framework should include requirements to ensure the security and integrity of the devices that will be used for voting. This is especially important because unlike when voters e-vote over the Internet from home, in a controlled environment, voters will not have the opportunity to verify the integrity of the computers that they use. A compromised device could affect a large number of votes, and each device would not have the same level of oversight as the centralized servers on which the main voting software is run. In a controlled environment, the responsibility for ensuring unaltered software is installed is in the hands of the elections officials in charge of the device. This applies whether the voting device is an Internet-connected voting station or a stand-alone kiosk.
While it is important to have independent experts test the security of the code, it is equally important to ensure that devices used in voting are running the correct software. The legal framework should require procedures to test and ensure the validity of equipment, which is essential to ensuring that malicious software has not been installed.
In California, the secretary of state retains a copy of the source code and has the right to perform tests on voting systems (Hall 2006). Other jurisdictions require random tests of machines to ensure no equipment has been modified. Equipment testing may be done based on random polls from each district, fixed-percentage audit models that mandate a portion of stations be tested or adjustable-percentage audit models that require a greater number of tests in districts with close victories (Hall 2006). The importance of testing the equipment is high, because one malicious machine can manipulate a number of votes. It is also important because threats to controlled system may also come from outside the voting software, such as other parts of the system (Smith 2006).
If the controlled voting is Internet-based, then steps should be taken to ensure the software installed on it is the same as that installed on any other system. Appropriate procedures and hardware tests should be conducted to ensure the system cannot be modified and there are no accessible user ports on which malicious software could be installed. The exact steps to secure the system are best left to the electoral authority.
Different procedures may be required for stand-alone kiosks, since the results may be stored locally and the same central oversight is not available. Many stand-alone machines rely on proprietary source code. In such cases, the electoral authority should have full access to all software and code and be able to have it independently verified. A number of Quebec municipalities also used electronic kiosk voting in local elections between 1995 and 2005, but these were discontinued after the Chief Electoral Officer raised concern that the e-voting software was not being independently tested, and the legal framework did not include adequate provisions for swearing in technical staff and testing voting equipment (Elections Quebec 2006).
We recommend that before any controlled voting system is used in an election, regulations are in place requiring an extensive testing regime and that the electoral authority develop procedures for testing the integrity of the voting systems before and after the election.
Summary of Recommendations
The electoral authority may seek to deploy an e-voting system in a controlled environment to facilitate accessibility and accommodate more voters. These may be stand-alone e-voting devices used for voters requiring assistance or secure Internet connected systems running the standard e-voting software used by remote voters in an uncontrolled environment. We recommend:
- Legislation should permit electoral authorities to host controlled e-voting for military voters; voters in penitentiaries; overseas voters at embassies, high commissions and consulates; domestic voters in locations such as the offices of the returning officer; disabled voters in the home; and voters on post-secondary campuses, where absentee ballots are common.
- Regulations should require e-voting devices to be tested before and after elections.
- The electoral authority should have access to all software and code installed on machines.
Further Consideration: Specialized Oversight of E-voting
In our opinion, the current electoral system, with well-defined provisions in the Canada Elections Act and administered by an independent Chief Electoral Officer, is generally effective. Elections Canada has worked hard to protect the integrity and fairness of the system, even if it has required challenging the governing party.
While the administration is technically centralized, with the Chief Electoral Officer being given wide discretion to implement ad hoc rules under the Canada Elections Act in the event of unforeseen circumstances, this authority appears to be prudently used. The broad discretion is somewhat limited by the decentralized and distributed process of casting and counting ballots in Canada. Most Canadians vote directly in their electoral district and votes are counted directly at thousands of polling stations across the country. If there are problems with voting, or allegations of fraud, it is likely to be confined to a single electoral district.
Internet voting, however, generally necessitates a centralized ballot-counting process in which fraud, disruptions and even a system shutdown could affect some or all voters who intend to cast an online ballot. Under the current electoral structure, the Chief Electoral Officer would retain the sole discretion on how to react to emergency situations and major problems. In comparison, some other jurisdictions rely on electoral committees with judges and senior bureaucrats to make major electoral decisions. Even in Canada, tribunals and decision-making panels rather than individual administrators often make major regulatory and legal decisions. For instance, three judges will often decide on legal appeals at a provincial level and up to nine judges may hear major decisions at the Supreme Court of Canada. If a major e-voting incident occurred, would Canadians be confident in the decision of a single official?
The first deployments of Internet voting in other jurisdictions have mainly occurred under the same electoral structure as paper votes, with little institutional changes in place to accommodate them. However, recently, the trend has been to move toward specialized oversight.
In Estonia, the elections are administered by the National Electoral Committee, which is composed of members of the judiciary as well as high-ranking heads of various government departments. This committee has the authority to allow or shut down the e-voting system and invalidate all or a portion of results (Heiberg et al. 2011). The use of judges on the oversight body likely provides additional legitimacy and oversight, particularly within an emerging democracy. However, there was no requirement that any of the members possesses any special technical expertise. Most of the practical administration and development of the elections has come from the IT department. The Organization for Security and Co-operation in Europe had previously criticized this lack of a distinct Internet voting authority. In response to this criticism, Estonia recently amended its election laws to create an electronic voting committee that would report to the National Electoral Committee.
France also made special provisions to accommodate e-voting in its 2012 parliamentary election. It set up a seven-member office of electronic voting, consisting of heads of various government information and security boards, as well as members of the Assembly of French Citizens Abroad. They have the power to invalidate the election results and oversee security (OSCE 2012c). Similar to Estonia, the French board also takes custody of the encryption keys.
Norway did not set up a strict formalized oversight board for its pilot project, although the use of various government departments to handle security and oversee different components required cross-government co-operation to handle the election.
Critics fear that if the individuals in charge of electoral oversight do not have sufficient technical understanding, an electronic voting system may be too dependent on the programmers, outside contractors or technical staff involved in implementing the system.
Creating a broader committee or board to assist with the oversight of electronic elections in Canada may help address concerns that may arise from the novelty and technological complexity of conducting an election partly by Internet and the increased concentration of responsibility that will likely accompany it.
A board or committee could work either as a subset of Elections Canada, ultimately advising the Chief Electoral Officer, or as a distinct entity with its own inherent authority under a revised Canada Elections Act. If it acts as an advisory board, its functions would probably be limited to providing advice. If it had its own inherent authority, it would be possible to assign many of the tasks such as holding cryptographic keys or authorizing a shutdown to the board.
The exact composition of a board will require further discussion. Potential candidates include members of the judiciary, heads of national security agencies who would be familiar with technical threats, as well as academics or industry professionals. The most important factors will be whether the public perceives the board as being independent and whether major stakeholders including political parties will have confidence in the appointment process.
Summary of Recommendations
The centralized and technical nature of e-voting requires effective and independent oversight. Public confidence in the system will be enhanced if those overseeing electronic voting have the technical expertise, independence, reliability and multiparty support to make tough decisions related to e-voting. Further discussion is required to determine whether this would be most effective within the electoral authority or with a new body with independent powers. We recommend that the electoral authority and those representing various political parties work together to create a board or committee with the authority to make recommendations to the electoral authority or arrive at certain determinations regarding e-voting oversight. Potential members include:
- federal court judges or others with positional independence
- tenured academics specializing in engineering, computer science or law
- privacy or information commissioners
- others recommended by various political parties
Return to source of Footnote 8 See, for example, Re Ontario Film and Video Appreciation Society, (1984) 45 OR (2d) 80, discussed in Hogg 2007, 123.
Return to source of Footnote 9 Extradition treaties and international agreements on cyber security may allow some enforcement.
Return to source of Footnote 10 This attack happened outside of an election period and appeared to originate from private groups unhappy with the relocation of a Soviet-era monument.
Return to source of Footnote 11 Canadian courts have upheld that it would be inappropriate to ascertain how a voter actually voted under the principle of secret voting (Wrzesnewskyj v. Attorney General (Canada) 2012 ONSC 2873, paragraph 34 and Cusimano v. Toronto (City), 2011 ONSC 2527).