Electronic Voting. Impossible, Dangerous, Irresponsible.

Ok, Christy Clark's the new Premier-designate of BC... and the BC Liberal Party used electronic voting to elect her. Good for them, they get to use whatever method of insecure voting they want to in their party elections.... but simply put, you don't get to mess with my voting system, even if you win one election, get a majority and decide to change the rules. We've got a constitution in BC, and its not a flexible working document. It defines we get to have an election under the definition defined in the Election Act (also not a flexible document), and If you want to change it, you better be prepared to go to binding referendum.

It didn't work for BC-STV and it wont work for Electronic Voting. Here's why:

1. We're entitled to a secret ballot. "  (1) Voting at an election must be by secret ballot."

If an IP address can identify copyright infringer (and it routinely is used for such) it can identify a voter. Note that this provision is to protect the populace from government retribution, and cannot be as simple as 'we wont collect that information'... it has to be held to the standard of 'we _cant_ collect that information' ... and internet voting, yes, you most certainly COULD collect that information, and thats just not good enough.

2. We're entitled to a voting officer and an election official at all voting stations. "92  A voting officer and another election official must be present at all times at each voting station while voting proceedings are being conducted at the voting station." We require that no one else may be able to observe another at a voting booth "  (1) While a voter is using a voting screen to mark a ballot, no other individual may observe or be in a position to observe the ballot being marked."

This provision is among other things designed to ensure that there is no improper influence of voters. (A husband telling his wife how to vote, and watching her vote to ensure compliance for example). It also ensures that all the regulations about influence near a polling place are properly observed. This cannot occur in the home, and Internet voting, no matter how technologically secure cannot meet the requirement of an election official being present at all voting stations.

3. We're entitled to a sealed ballot box. "95  (1) Before a ballot box is used for ballots, the election official responsible, in the presence of at least one witness, must inspect the ballot box to ensure that it is empty and seal it in such a manner that it cannot be opened without breaking the seal."

A digital vote would have to pass through dozens if not hundreds of intermediaries. It would be subject to a systems administrator, a host of software developers, etc... US voting machines have shown how bad an idea this is... but to have a black box internet voting system. How could the public have confidence in such a system. How do you witness a digital vote being cast, and ensure that it is properly boxed? I know of no programmatic system that could not be altered (opened) and then restored to its original condition. Maybe some sort of voting lithographic system, but now we're really stretching plausibility.

4. We have systems in place to prevent vote selling. You cannot prove who you voted for at a voting booth. You can in any digital system however, take a screenshot.

5. The argument "but we already have absentee voting"... isn't quite accurate. Yes, you can vote in absentia, however, your vote is only used in certain circumstances where the number of absentee votes are greater than the margin between the candidates. At all times are the absentee votes to be kept separate from 'real' votes. "(d) to keep ballots used for alternative absentee voting separate from all other ballots used in the election." In an election where absentee votes are the determining factor, you can bet there would be extensive review of the result. These votes are the exception, not the norm, and are an anti-disenfranchisement program -- not simply an alternative method of voting.

6. Ok, so you're still not convinced that Internet voting will result in vote selling, influenced votes, and will severely undermine the secret ballot. So what about security? I could hack the election. A bold statement, but not complicated to achieve. Let me explain -- The systems envisioned are all credential based, and web-browser based. This has several fantastic flaws. First, the user needs to be in control of their computer. I can take that control away with a virus -- don't think I can infect enough computers to control the election margin? Then you're not paying attention to the reality of botnet's and worms -- of the fact that Shaw closes entire network ports because their customer's computers are so disastrously compromised that they represent a SPAM threat. The pathetically small number of networks means that to deploy a botnet using an as-yet unreleased zero-day flaw, would require only scanning the IP address space of Shaw and Telus in BC. I could deploy this network mere minutes before the election, and delete it immediately after -- detection would be difficult [though not impossible], but proving how widespread the infection was would be completely impossible. Given that a re-vote is not likely, a hacker could easily at the very least disrupt the election, at moderate damage, draw into question the election result, and at worst, actually steal the election for a candidate. Stuxnet is an example of a worm that is suspected to be developed by a foreign government, and deployed to affect a very specific task -- if it worked against Iranian centrifuges it can work against our elections systems. It is not unreasonable to think that the next zero-day software flaw could easily steal an election... but lets continue with the attack in another way... the election will require encryption over the transit... SSL is the likely choice... it's used for e-banking, and with EV certs, is actually really powerful encryption -- however it has a massive, fundamental flaw for voting. Trust. Dozens of organizations (yes corporate organizations) make up a browsers certificate trust and ANY of them can issue certificates that appear completely legitimate to the browser. This trust model is fantastically broken in an elections scenario and simply passes the keys to the kingdom (literally) to a handful of corporate actors, and in-fact the government of the day that can compel the release of private keys. Further, compromising any one of these providers private keys, (as weve seen in the past with several high profile hacks), makes it easy for a hacker to create a man-in-the-middle vote flipper. Deployed in one geographic place -- say the Shaw or Telus NOC -- could literally act as a man-in-the-middle proxy, receiving and flipping votes as desired for essentially every e-voter in BC. SSL trust is just simply insufficient for e-voting -- and it always will be. You also couldn't detect this attack as it would use the customers IPs directly. No software on either the source or destination machines. No detectable difference on either end of the transaction. No, to solve the security issues with e-voting is equivalently hard as to making a working DRM system -- theres too many analog holes, too many points of attack, its just too easy. I could confidently say that given an undisclosed and un-patched, remotely exploitable zero-day vulnerability in Windows or OSX, that I have the technical skill to steal an election -- and there is no software you can make that could stop it. Identify that it happened, perhaps, but not stop it -- and the public distress from a compromised election, a re-vote, the madness that would ensue, its just not worth it.

7. So home machines are totally out, what about kiosks. Better security... you can solve issues 1-4... but then what do they add? Is an e-voting kiosk better than a piece of paper? Nope. Just look at the nightmare which is the US e-voting systems, the controversy, hacked elections.... etc. I don't trust those systems, they offer little benefit, over the paper system we know and love. Plus, they don't increase voter turn-out as you still have to go to the polling place.

So here's my challenge. Someone, anyone, propose a secure e-voting system for peer-review. Address 1-4. Address zero-day flaws. Address broken SSL trust, DNS forgery, etc.. I'll do my best to enlist some of the best security researchers, hackers, and my network of web developers and net neutrality nerds and we'll show you how to hack your election... for free. But right off the bat, eliminating the zero-day flaw is the the holy grail of the entire worldwide software industry -- what makes anyone think that BC has the resources necessary to solve the desktop security problem? Simply: We can't. Use of electronic voting is impossible, dangerous and completely irresponsible.