- ‘Imperative to lift security to higher level’
- Growth of online voting inevitable
- Collaboration with all electoral commissions needed
The New South Wales online voting system is secure enough for next year’s state election “given the relative insignificance of the numbers currently involved” and because current measures are being improved, concludes retired public servant Roger Wilkins, but he is thinking bigger.
A single platform for elections across Australia and New Zealand should really be the ultimate goal, argues the former secretary of the federal Attorney-General’s Department, and it is “imperative to lift security to a higher level” and continuously upgrade it as the number of online voters grows.
Wilkins was asked to review the iVote system’s security, following a NSW parliamentary inquiry into the 2015 state election, but also decided it was “very important” to go beyond his brief and note the views of electoral commissioners: that the growth of online voting is inevitable and a single platform would be the most sensible approach in the long term.
Online voting was used by just over 6% of voters at the last NSW election, up from 1.1% in 2011. It is only open to people who need assistance with voting due to disability or illiteracy, silent electors, registered early voters, people who will be out of NSW on election day, and those who live more than 20km from a booth.
The debate continues…
Wilkins received various verbal and written submissions, some of which are published along with his report and the NSW Electoral Commission’s response. One comes from a group of information security academics including Dr Vanessa Teague and Dr Chris Culnane from the University of Melbourne, who have previously poked holes in iVote and demanded more transparency around the source code involved.
Now they call for the system’s “complete discontinuation” and suggest the terms of reference posed the wrong questions.
Another is from the commission’s former chief information officer, Ian Brightwell, who has tried to rebut their criticisms previously.
Teague and her colleagues have publicised strong concerns about the integrity of iVote in NSW on several occasions, while Brightwell defended it in his former role. More recently, they criticised its adoption in Western Australia.
These researchers have also been instrumental in raising concerns about the privacy of open data, highlighting the fact that anonymised records can be re-identified in a lot of cases, and in many ways the two debates are along similar lines.
On one side are the technical experts that discover and mitigate cyber security risks; on the other are public service leaders deciding how much risk they can accept and manage while still proceeding with their projects.
Teague and her four co-authors authors argue:
“iVote is not secure and does not keep votes private, particularly from insiders. There are a number of inside parties, such as software providers and external service providers, who are not as trustworthy as the electoral commission, yet have privileged access that would allow them to read or alter votes.
“There have been serious problems in almost every conceivable aspect of iVote’s operation: externally exploitable security vulnerabilities, errors in the user interface design, noticeable deviations from the paper returns (in the Legislative Council 2015), inconsistent public remarks about the rates of verification failure, etc. There is still very little public information about the basic facts of the 2015 run, and even less about the WA 2017 run.”
They claim, “there is no known solution for returning ballots over the Internet that is adequate for Australian government elections” on the basis that “there is no reliable way” to detect whether bugs or cyber attacks have influenced the count.
Brightwell’s submission maintains the system is adequate for “limited use” in March, and says it replaced paper voting processes that were “inadequate and demonstrably flawed” themselves, in their own ways. Writing in a private capacity, he urged Wilkins not to be swayed by the critics:
“Most of the arguments against iVote will come from people with very impressive academic qualifications who specialise in cryptography and have great deal of expertise in internet security, particularly in the securing of internet’s secure pipes. Because of this they sometimes are referred to as the plumbers of the internet.
“The expertise of these highly skilled “plumbers” and the standards they measure success by is very different to those of people that build and manage real world business systems like iVote. People who build these systems understand and manage risks in a very different way to the internet plumbers who will only sign off on a solution if it can be cryptographically proved.
“These ‘experts’ will often say that return of ballots over the internet should not be used until they can formally prove the system used is secure. My view is that there will never be a proof that a system returning ballots over the internet is secure, to their standards. However, it has to be remembered that no other business system can satisfy this type of cryptographic proof, hence it should be unreasonable to expect that iVote would be able to meet this standard of proof. The standards and security attributes of the iVote system should be comparable to the system it is replacing.”
‘I take it that iVote will continue’
It appears Wilkins did not entertain the possibility of the commission ever abandoning the system.
“At the outset I should make it clear that this is not an inquiry aimed at doing a cost and benefit analysis of iVote,” Wilkins writes. “I take it that iVote will continue. I see my job as examining certain features of iVote, notably security, and making suggestions about how those features might be improved.”
The retired mandarin begins his 29 recommendations with his unsolicited call for a national approach:
“Electoral commissions in Australia should jointly develop a national platform for internet voting that could be jointly owned and maintained. The platform could be used by any jurisdiction that chooses to allow internet voting. It could be adapted in each case to accord with the law of their jurisdiction, but its core functionality would remain the same.
“This would be the most efficient and secure way to provide internet voting in Australia. The recommendations that follow are framed with an eye to the establishment of a national platform and could be adapted to that circumstance.”
The remaining 28 prescriptions go to the security of iVote in NSW – but focus on “the sort of institutional arrangements and systems that are or should be put in place” while their author acknowledges that “detailed technical solutions” are beyond his expertise.
“The strengths, weaknesses, opportunities and threats of any internet voting system are going to develop and shift very fast and constantly. Software and hardware technologies; business models; public expectations; threats and dangers; mitigation, defence and protections — all this will change rapidly. Accordingly, this report places more emphasis on how government might sensibly deal with internet voting in a dynamic world.”
Wilkins was advised by federal cyber security chief Alastair MacGibbon, University of Sydney professor Rodney Smith and the ABC’s elections analyst Antony Green as well, but makes it clear the recommendations are his alone. It seems the former Commonwealth and NSW department head found the views of electoral commissioners particularly persuasive.
Some of the reasons given in favour of a single platform are that states and territories could “find it difficult to put an internet voting system in place by themselves” and that it would be more efficient than having more than one. The Wilkins report also argues it would be a better way to manage cyber security risks and maintain uniform electoral standards across the Australian Commonwealth.
“One of the big advantages of this is that it allows better utilisation of knowledge at a national level about cyber security – both the threats and positive mitigation.
“It also has the advantage of creating national standards on security and integrity that would be observed uniformly across all Australian elections.
“Recent controversies around this sort of issue in the United States (US) have really underlined the problems of not having national standards properly observed, and implemented, across all the different state electoral systems.”
Wilkins notes electoral commissioners have already been discussing a platform that could be shared through the Electoral Council of Australia and New Zealand, and have agreed to work together towards planning one — at least for those who need assistance and mail in their votes currently — and the Council of Australian Governments is considering the idea.
“This report has been written with an eye to this national initiative,” he writes. “The sorts of institutional arrangements and systems that need to be upgraded and put in place to secure iVote, would make sense to do at a national level in collaboration with all electoral commissions.”
Top image: United Kingdom Foreign and Commonwealth Office.