Electronic voting should be an alternate channel in all Australian elections, according to New South Wales Electoral Commission chief information officer Ian Brightwell, but paper ballots should remain the primary system for the foreseeable future.
“We’re very interested in getting engaged in the public discussion,” Brightwell said last week at the Technology in Government conference. “I’m sure as the federal election approaches there’ll be more talk about electronic voting, and we’ll happy to engage in discussion with anyone about that.”
The state elections CIO insists the well-publicised information security risks are manageable and that a system like iVote in NSW has a place as a “complimentary service” for those who can’t easily cast a ballot the traditional way. “I wouldn’t like to see it being dominant,” he said. In his view, the two channels could enhance each other’s integrity.
“I wouldn’t like it to get past about 10-15%, simply because of that point: you’ve got a good balance between an electronic channel and a paper channel, so that you can see both have integrity, and you can also say with [more] certainty that you know what’s going on in one channel or the other when they both balance,” said Brightwell.[pullquote] “We think in an election or two, post is not really going to be an option for us.” [/pullquote]
The state elections CIO said the commission had no plan for iVote to become a mainstream channel, at least for the next decade or so, but added: “Into the future, who knows?”
He pointed out to the tech-savvy audience that Australia Post is one of the victims of their vaunted digital disruption. “We don’t know where they’re going to go but we think in an election or two, post is not really going to be an option for us,” said Brightwell. He also attempted to put information security issues into context with the integrity of paper votes, which is far from absolute.
“The scrutiny that happens in the polling place is not that high, when you look at the overall voting load, whereas you can get stronger evidence of the actual voting integrity when you’re using electronic voting,” he said. “And if you combine the two, you get a much clearer picture, because to defraud both systems would be very, very difficult.”
He explained that the security, accuracy and secrecy of elections is never guaranteed. “So what we get in the end in the manual count is an approximation, and we hope by virtue of random error it’s a good approximation of the actual outcome, but that’s the best we can get,” said Brightwell. “Electronic voting gives you another cross-check to that.”
About 283,000 online votes were cast in the March NSW election. That’s about 5% of the total, six times as many as in 2011 and, it is claimed, a world record. Initially a way to afford people with impaired vision the same voting secrecy as others, iVote was extended to people with other disabilities and anyone who is out of NSW on election day or lives over 20km from a polling place.
The commission didn’t expect so many people would meet the eligibility criteria as absentee voters, according to its CIO. Perhaps some simply claimed they’d be absent to avoid running the how-to-vote gauntlet and lining up with the masses on polling day.
User satisfaction was also extremely high, although the shine was taken off iVote’s latest milestone somewhat by two information security researchers who led a campaign against the system in the weeks leading up to the March 2015 state election.
They claimed they found a vulnerability on an outside server, but because the system wasn’t open source they couldn’t tell more. The server was inserting user-experience analytics code into the iVote website so Brightwell and the commission could learn more about any troubles the users were facing.
After the vulnerable server certificate was identified, the analytics code was removed from the site, but the researchers, Vanessa Teague and Alex Halderman, were not satisfied with the NSWEC’s response. They accused the commission of failing to understand the “serious implications” of their simulated attack.
‘That probably wasn’t a great decision’
Brightwell assured the audience that the commission had always taken iVote’s security extremely seriously, but was “miffed” that the researchers went to the media instead of coming to them first: “They went to the media, and that quite frankly annoyed the commissioner no end.”
He went on to reveal more about how Teague and Halderman found the flawed certificate, including a “compromise” the CIO admitted he wouldn’t have made in an ideal world:
“What they found was a weak certificate on a server that I didn’t really want in the original design, but as it turned out when we did the roll-out, we had to make a compromise decision,” Brightwell said. “That was my decision; probably wasn’t a great decision, but there you go. We don’t believe — when we’ve looked at the logs and looked at everything we can — that that actually manifested itself into a particular incident, through that vulnerability.
“The reality is browsers will always be vulnerable. There are innumerable attacks that you could execute on the browsers at any point in time. We acknowledge that; that’s an accepted risk. We believe our verification server provides some awareness of that if it does happen.
“Post-election … the most obvious and simple way is to simply look at the results [from] multiple channels and see if such an attack happened.”
In spite of these security concerns, all signs point to an overwhelming public appetite for online voting and strong public trust in its integrity. Unfortunately for Teague and Halderman, their trenchant criticisms only served to further publicise iVote.
The biggest bump in usage came right after their dire warnings were carried by several major media outlets, according to Clinton Firth, CSC’s general manager of cyber security for Australia and New Zealand. It seems plenty of people are happy to take the risk in exchange for the convenience.
“Essentially they did a great marketing campaign for the NSW Electoral Commission and … the votes went through the roof,” said Firth, an information security expert who helped manage security controls and threat-actor monitoring for iVote, and joined Brightwell at the conference.
Firth led an approach that sought not only to batten down the hatches as much possible, but also look outwards, to find and identify who might try to crack the system.
“The key thing here really is to integrate, so once you understand your threat actors then you need to integrate that into your ecosystem as well,” he told the conference.
“The traditional means of just really monitoring inside the walls of your castle and your security operations centre and the rest is [only] getting you so far, but you’ve really got to start integrating that plus also looking outwards, understanding who your threat actors are and what’s coming down the pipe.”
He explained that his controls picked up a few attacks using two major vulnerabilities, but there were less attempts than expected and none were proven to have compromised any votes.
A failsafe measure is an automated telephone verification service that allows any voter to check their vote was recorded correctly, providing individual assurance and a random post-election sample to match against.
“I think the other key thing is again [the incidents] were all blocked by controls,” Firth told a sceptical audience member. “They were all blocked; none of the incidents were actually exploited, as far as we can tell. And we’ve done a lot of analysis, a lot of investigations.”