Member log in

Online voting report released

Peseta Sam Lotu-Iiga said:

A report looking at the feasibility of online voting for local body elections has been welcomed by Associate Local Government Minister Peseta Sam Lotu-Iiga.

In September 2013, Cabinet agreed to establish a working party to consider the feasibility of online voting in New Zealand’s local elections. The working party met from December 2013 to May 2014 and has now reported back with its recommendations.

Mr Lotu-Iiga says the working party found online voting for local elections is feasible. The report said that online voting has the potential to enhance the operation of local democracy and offer New Zealanders a more accessible and convenient option to cast their vote.

“One of the major benefits of online voting is as a tool of convenience. It would enable voters to act on their intention to vote quicker, easier and in a forum more in line with the modern digital age,” he says.

“We have seen good examples of that recently with the census, where 35 per cent of forms were completed online in 2013, which is up from 7 per cent in 2006.”

I was on the working group that write the report. It was a lot of work, but I’m really pleased with the report.  Very impressed with the DIA staff who supported the working group.

The report makes seven findings. They are:

  1. online voting is feasible
  2. broad implementation is not feasible in 2016
  3. online voting should be trialled in 2016 as part of local elections
  4. online voting can improve and enhance the voting experience
  5. public trust and confidence must be maintained
  6. implementing online voting will require a partnership approach
  7. securing online voting is critical, but not easy

Some of the specific recommendations include:

  • online voting should be considered complementary to postal or booth voting and not as a replacement to existing voting methods
  • Councils and their communities should choose whether online voting is available as a voting method
  • In order to ensure that online voting systems are secure enough, the Department should harness the expertise of the wider security community through a ‘bug bounty’ or similar process to attract constructive analysis of proposed systems for vulnerabilities.
  • The Department should ensure that any online voting solutions are highly auditable.
  • For the 2016 trials, online voting should use the existing postal ballot issue to communicate login details to users, only allow one-time access to the online voting system and use two factor authentication if possible – our preferred option is for the voter to use their date of birth (acquired from the electoral roll) as a ‘shared secret’

The Institute of IT Professionals has welcomed the report:

IITP CEO Paul Matthews, who sat on the working group, welcomed the release of the report today. “This report plots the path forward for online voting in New Zealand, and carefully weighs up the issues around security and other factors”, Matthews said.

During the development of the report, the Institute was heavily engaged and very pleased with the focus of the Working Group and Government on protecting the integrity of voter’s private information amidst the security implications of online voting.

“We especially support the recommendation of a ‘bug bounty’ approach to the online voting system. While bug bounties are used extensively in our sector by most prominent technology companies, this would be a step forward for a Government and is one of the key recommendations from the IT profession to Government last year, following various public sector security breaches.”

“We thank the Minister for looking to IITP and other organisations such as Internet New Zealand to provide independent expertise for this Working Group. As the representative body for the IT Profession, this enabled IITP to work with others to ensure tech-related factors were well considered, independently and without technology bias,” Matthews concluded.

Basically what is needed now is for central and local government to work together to determine how to find the initial costs of developing a robust online voting system. This will have potential for not just local government elections, but also referenda. Note I don’t advocate using online voting for parliamentary elections – just as a complementary option to those systems that rely on postal ballots – as the postal system is basically dying.

Political commentator David Farrar posts at Kiwiblog.

Comments and questions
10

David - can you please explain why you do not favour online voting for parliamentary elections?i

“One of the major benefits of online voting is as a tool of convenience. It would enable voters to act on their intention to vote quicker, easier and in a forum more in line with the modern digital age,”

Says it all really....

Keith, I can't speak for the other David, but speaking for myself (another David), I support David's scepticism. The approach being taken by DIA is designed to fail. As a starting point, any solution that's not open source from the start is fundamentally untrustworthy. Moreover, the security considerations for any solution must be better than "good enough". The DIA's approach seems to be "we're going to have online voting, bugger the boxing, let's pour the concrete!" It's been tried, around the world, by people at least (and probably more) qualified than those involved in this process. Nearly all have either failed absolutely or ended with significant caveats. Most of them have even abandoned the process (except for votes where the stakes are trivial) because it's fundamentally vulnerable to large-scale exploitation that could also be untraceable.

I think the DIA is foolhardy to think that NZ will somehow avoid all the other traps that have befallen the other jurisdictions that have tried this. The only realistic approach with a chance of success is a collaborative approach undertaken by many gov't departments, starting with defining (and opening for scrutiny) a set of open standards for online voting. Then any implementation must be open source to allow unfettered scrutiny by anyone with an interest. This is the only way to address those who place mistaken faith in "security through obscurity": http://en.wikipedia.org/wiki/Security_by_obscurity

A solution based on the bitcoin blockchain model (http://www.bitcongress.org/) is likely to be the only even theoretically secure-able online voting scheme, and warrants further investigation... but the approach currently being pushed by DIA is fundamentally flawed and will fail spectacularly.

Using a 'Birthday' as the two-factor shared secret is dead give-away they haven't thought this through.

It's not a secret when its on Facebook, LinkedIn, and every other profile you've ever put online.

Open Source is not the answer to everything, and certainly not in this case either.

Open standards, open source for unfettered scrutiny by anyone?? So you can right now go and request the voting records to verify who voted how?

You're overcomplicating the situation drastically.

Hi Steve, unfettered scrutiny is the only possible way to achieve a trustworthy solution. That can only be achieve by open source. There's no implication in that that voting records or other voting related *data* is available - just the software that manipulates (records and collates) it. Open standards for determining what is collected, how it's correllated, how it is stored, how it is encrypted, how it is audited, etc. must be open standards, otherwise it hands a monopoly to the vendor of any given implementation (which each vendor will attempt to parley into greater marketshare, rather than into implementing better systems). Open source is not the whole answer, but if the answer doesn't require it being open source, then the wrong question is being asked.

To clarify my previous post (apologies for the extra words, etc.) I think, Steve, that you might have a fundamental misconception of what "open source" means... It does not suggest that any data in an open source system is open for all to see. Only the software source code (which is completely independent of the "data" that it ultimately holds) is visible to anyone. Go to http://github.com to peruse a couple hundred thousand open source code repositories... Actually, the world's most security conscious computer systems are open source, like SELinux. The working principles of open source are that a) "security through obscurity" is not a valid security model, and b) the larger the number of software developers who can test and view the source code of a piece of software, the more likely that security vulnerabilities will be found (and fixed) before they can be exploited by those with ill-intent. Note that proprietary systems (closed source) have substantially more practical vulnerabilities (e.g. MS Windows) than open source software (e.g. Linux). Another crucial thing about open source: there are fewer incentives for open source projects to try to *hide* knowledge of security holes rather than promote them to achieve a fix as quickly as possible. That is why there are many Linux security reports (but generally for very minor issues) whereas proprietary OSs like MS Windows often hide news of actually exploited security vulnerabilities because it affects their commercial interests to admit to be seen as insecure... From a user security perspective, the incentives inherent in open source are far preferable to those that motivate proprietary software developers.

Dave, good explanation, though I am well aware of what Open Source is, and isn't.

In saying that, just because a system is closed doesn't mean that it's insecure.

As the end result is about a secure eVoting solution, who cares if one vendor supplies it and uses that reference for other business.

RedHat, Novell SuSe would all do the same to show their capabilities.

A eVoting solution would face external audit, scrutiny of the architecture, implementation, security and results products...closed or open would be irrelevant.

Steve, unless it's open to arbitrary scrutiny, it can't be trusted. That's a fundamental difference between proprietary and open source. Proprietary software vendors choose who scrutinises. With open source, no one can preserve their vested interests. The incentives are fundamentally different. If people can't implement and test the system independent of the vendor, the system can't be trusted. That simple. There is no way a proprietary system can achieve that level of trust unless it's open source, in which case it's no longer proprietary. Open source is a necessary pre-requisite to any trustworthy voting system. I (and many others) rightly refuse to accept your assurances to the contrary.

Just to clarify:

"In saying that, just because a system is closed doesn't mean that it's insecure. "

That's possible, but as a user who demands to be able to trust the system before using it, I wouldn't be able to verify that for myself if I wanted to. With open source, either I - or some disinterested party that *I* trust - can verify it. With proprietary that's not the case. Therein lies the difference. Proprietary software is inherently unacceptable for trusted systems that reason.

Beyond open source, there's also the need to verify the legitimacy of a given implementation (i.e. that the implementation used for a specific election is an unadulterated instance of the open source code). That, in practice, would likely have to be done by a publicly accountable 3rd party, but can relatively easily be verified via trusted hashes among other methods.