The "Canadian Model" for Assessing Internet Voting Security
Question: Can Internet voting be done securely?
While this question seems simple enough, it actually provokes conflicting and complex opinions, and sometimes strong emotions on both sides. There are folks who see Internet voting as a threat to democracy, and those who see it as an enhancement of the democratic process.
Two professors of Information Systems from York University in Toronto, Saggi Nevo and Henry Kim, have written a scholarly paper on how to rationally assess the risks that threaten Internet voting systems. From their paper I derive what I call “the Canadian Model” (for a general rather than scientific readership) to guide the discussion:
- First, specify the type of attack to be considered.
- Second, suggest who might launch such an attack – e.g., the Taliban, a US teenager in his bedroom, the Pirate Party, or whomever.
- Third, name the object of attack – the voter’s PC, iPad, Smart Phone, or the election server, etc.
- Fourth, estimate the likelihood of an attack’s occurrence.
- Finally, estimate the likelihood of an attack’s success.
For the last two principles, the likelihood, or probability, can be based a scale of from 1 to 10 - 10 being the most likely to occur, and to succeed, according to past experience with Internet voting.
As mentioned in an earlier post, over 40 cities in Canada have used Internet voting systems as a part of their election process. There have been other, nongovernmental, uses of Internet voting as well. The New Democratic Party (NDP), for example, has offered it during elections for its officers. So, in Canada, there is considerable empirical experience with the technology upon which to base estimates of the probability of an attack and of its chances of success.
Indeed, NDP officer elections have been attacked twice. On both occasions, a Denial of Service (DoS) attack interfered with the online voting. This type of attack is launched against the election servers, which host the website upon which party members vote. An election server must have sufficient bandwidth, or capacity, to efficiently process the expected amount of traffic the election will generate. An attacker can organize an army of computer users and have everyone log on to the website at an agreed time. This could clog up the system, and cause a delay for legitimate voters who happen to log on at the same time.
In 2003 a DoS attack on the NDP server did clog up the system. Fortunately, the system operators had anticipated the possibility of such an attack, and were prepared to fight back. Their software was able to identify where the attack was coming from, and block it. The voting was only delayed for 45 minutes.
Again, in 2011 an NDP election was delayed. This time the delay lasted for a couple of hours. But in this case, the system may have also had insufficient bandwidth; thus, in addition to an alleged DoS attack, a coincidental surge of legitimate voters could have prolonged the delay.
In both cases, no votes were lost nor altered. No unauthorized votes were cast nor counted.
No perpetrators have been identified or apprehended in either case.
Lesson: Even though no other successful DoS attack on an Internet voting system has occurred in Canada, nor any where else in the world, every online voting system should be set up to defend against such an attack, because they are proven to be at least somewhat likely to happen, and with at least moderate success.
On a scale of 1 to 10, knowing of two slightly successful DoS attacks out of over 40 Internet voting uses, the likelihood for both occurrence and success might be a 1 – not much, but it's better to be safe than sorry.