Online voting is a serious issue that Canadians need to remain aware of and/or become educated about. I’ve previously written about issues surrounding Internet-based voting, and was recently interviewed about online elections in light of problems that the National Democratic Party (NDP) had during their 2012 leadership convention. While I’m generally happy with how the interview played out – and thankful to colleagues for linking me up with the radio station I spoke on – there were a few items that didn’t get covered in the interview because of time limitations. This post is meant to take up those missed items, as well as let you go and listen to the interview for yourself.
Public Dialogue Concerning the NDP Leadership ‘Attack’
There are claims that the attacks against the NDP’s online voting system were “sophisticated” and that “the required organization and the demonstrated orchestration of the attack indicates that this was a deliberate effort to disrupt or negate the election by a knowledgeable person or group.” Neither of these statements are entirely fair or particularly accurate. Publicly disclosed information indicates that around 10,000 IP addresses were used to launch a small Distributed Denial of Service (DDoS) attack against the voting system used during the NDP’s convention. To be clear: this is a relatively tiny botnet.
While such a botnet might justifiably overwhelm some small business networks, or other organizations that haven’t seen the need to establish protections against DDoS scenarios, it absolutely should not be capable of compromising an electoral process. Such a process should be significantly hardened: scalable infrastructure ought to have been adopted, and all services ought to be sitting behind a defensible security perimeter. To give you an understanding of just how cheap a botnet (of a much larger size) can be: in 2009, a 80,000-120,000 machine botnet would run around $200/day. You even got a 3-minute trial window! In 2010, VeriSign’s iDefence Intelligence Operations Team reported that a comparable botnet would run around $9/hr or $67/day.
If a few Google searches and a couple hundred dollars from a Paypal account can get you a small botnet (and give you access to technical support to help launch the attack, depending on who you rent your bots from) then we’re not dealing with a particularly sophisticated individual or group, or an individual or group that necessarily possesses very much knowledge about this kinds of attacks. Certainly the action of hiring a botnet demonstrates intent but it’s an incredibly amateurish attempt, and one that should have been easily stopped by the vendor in question.
The Vendor Was Unprepared
Perhaps the most damning piece of the story is that Scytl, the vendor the NDP choose to work with, was utterly unprepared for such an attack. The CBC notes this when they report that:
Scytl has never experienced an attack like this before, company spokeswoman Susan Crutchlow said .
“But this is not uncommon, I mean … this is just a common thing that is happening out in the industry,” Crutchlow said.
“Obviously, this has now allowed us to capture additional data to incorporate into the security measures of our system.”
That Scytl hadn’t experienced this kind of (amateur) attack is indicative of the company’s relatively low profile, and the low (online voting) profile of elections they have previously been involved with. Moreover, the company admits that this is a “common thing that is happening out in the industry” and yet was unprepared to address it in real time. This lack of preparedness is strongly suggestive that the company lacked the basic security measures that ought to have been in place.
The Significance of the DDoS Attack
While it’s pleasant that the vendor was able to “capture additional data” for their security responses in the future, their failure in this instance undermined the legitimacy of the leadership vote. Note that the company argues that “[t]he vote wasn’t compromised, Scytl says, pointing to an audit by Price Waterhouse Coopers during the convention. The attacker didn’t get through the site’s security system, and no ballots cast by credentialed NDP members were added, subtracted or changed.” It isn’t necessary to actually change ballots at the server. All that is required to threaten a vote’s legitimacy is to make voting inconvenient enough that people decide not to vote. In instances where people had intentionally waited until the convention to vote, and then were disincentivized from voting because of technical security problems, then the attacker successfully compromised some of the vote’s legitimacy.
Now, would the voters that decided not to vote have changed the outcome of the leadership vote? Perhaps not. But the instrumental outcomes of citizens of voting or not voting are beyond the point: casting a ballot is about participating in an electoral system and expressing your preferences for leadership in a responsible and democratic manner. Where citizens or NDP party members are prevented from voting, for whatever reasons, then the democratic, if not the instrumental, outcome and importance of the election is threatened. To preserve a democracy we must focus as much on its mechanisms for guaranteeing democratic legitimacy as the instrumental outcomes (i.e. who is elected) of those electoral processes.
In short,to guarantee legitimacy to a democratic system it doesn’t matter if your preferred candidate doesn’t win. If you’re casting a vote, you’re participating a democratic system and lending legitimacy to the process itself, regardless of the outcome. When you can’t cast a vote then you’re excluded from the system and thus unable to participate in legitimizing the process. Where technical instruments and services – such as online voting – endanger the legitimacy-enabling processes of a democracy, then those technical instruments must be set aside.
If you’d like to listen to the 10 minute interview I had concerning online elections – which address divergent, and broader, points than those raised above – then either click on this link to on CKON’s website, or on this local link, to download a copy to your computer or stream it.