Online voting: the ultimate hackers’ challenge
TheStar.com – Opinion/commentary – What happens when cynical voters give their authentication and authorization information to everyone who asks?
Aug 01 2013. By: Bob Delaney
“Be careful what you wish for, because you just might get it.” So goes the famous quote. Without very careful study, you might get the wish of Internet voting — and live to regret it.
Your birth certificate and passport are “foundation” documents. You have to show up to get them. You have to show up to get married, and you should have to show up to cast a ballot, both “foundation” activities. Internet voting advocates assume away the large risks — and certainty of abuse — of online voting, not to mention the difficulty and expense of developing the system.
There is no audit trail in an online vote. Physical ballot boxes are sealed in the presence of human witnesses. The individual ballots can be recounted to determine by sight the voter’s intention. The sheer number of human beings physically watching voters makes the integrity of the ballot box difficult to breach, though people try to cheat in every election.
Online voting would be used just once every four years. There is no opportunity to properly debug the system when it goes awry on election day, or between elections, or stress-test the system to determine if it stands up to the server traffic. Enersource’s web servers went down during the July rain storm power outage in the GTA. People got their information from Facebook and Twitter.
Hackers thrive in the years of dark time between scheduled elections. Proponents of online voting point to the ubiquitous use of online banking and other daily Internet transactions. The critical difference is that those other systems are used, debugged, watched and stress-tested each and every day by scores of experts who know them inside out.
Gaining access to the software’s root directory enables a hacker to control the system on election day, and corrupt the outcome. By the time voters see the damage, it is too late.
If a person votes in person and, at about the same time, votes online, the latency of removing that person from the eligible voters list almost certainly means both votes will count. Can software used just once every 1,470 days anticipate that problem? If Mr. and Mrs. Ontario show up at the polls, are told by the returning officer that they’ve already voted online, and kick up a fuss, they will be allowed to vote in person. Both votes will count, including the online ballots perhaps cast by a hacker with their authentication and authorization data.
Online votes instantly become a negotiable commodity. What are a voter’s user ID and password worth? A beer? Ten or twenty bucks? At work, out-of-town on business, or on vacation on election day? Provide your information to your favourite party, and they’ll ensure you vote. For them, of course. What happens when cynical voters give their authentication and authorization information to everyone who asks? When mass rallies or TV infomercials, after pressure-packed propaganda, exhort voters to take out their phones or tablets, and vote online, there is no fact-checking or sober second thought.
At stake is not somebody’s savings account, what classes they take, or how they use their affinity points. Cheating in online voting in Ontario would mean getting hold of the levers of a $125-billion budget, and making decisions that govern 13 million people. With present-day election turnout of half the eligible voters, the theoretical turnout may be 150 per cent, assuming the system is manipulated so that every eligible Ontarian votes online, whether each voter actually cast an online ballot or not. If, on election day, a party that has never elected a single member in Ontario election history forms a strong majority government based on a voter turnout of 115 per cent of the electorate, then what?
I once asked the VP then in charge of Microsoft Windows development, which then employed 7,000 full-time people, how they made on-time decisions to keep product development moving forward. “Decisions,” he said, “are made by people who show up.”
I have pushed the Ontario Legislature hard to use information technology in more areas, and use it better. As an MPP, I raise serious issues about the potential for abuse, and about the integrity of online voting. My advice to Elections Ontario head Greg Essensa when we met was simple: don’t do it! The great risks far outweigh the few perceived benefits. Mine is not a video game democracy. Democratic decisions in Ontario should continue to be made by people who show up. Voting is a foundation activity.
Bob Delaney is the Member of Provincial Parliament for the riding of Mississauga-Streetsville. He is a member of the Ontario Liberal Party.
< http://www.thestar.com/opinion/commentary/2013/08/01/online_voting_the_ultimate_hackers_challenge.html >