Online Voting in Ontario's Municipal Elections A Conflict of Legal Principles and Technology? Authored by Anthony Cardillo Department of Electrical and Computer Engineering Aleksander Essex, PhD., P.Eng. Western University, Canada Associate Professor Department of Electrical and Computer Engineering Western University, Canada Nicholas Akinyokun School of Computing and Information Systems The University of Melbourne, Australia PUBLICATION NOTE An extended abstract of this report was presented at the Fourth International Joint Conference on Elec‐ tronic Voting (E‐Vote‐ID) in Bregenz, Austria, October, 2019. It won the Best Paper Award in the Trackon Security, Usability and Technical Issues. Cite the extended abstract as: Anthony Cardillo, Nicholas Akinyokun, and Aleksander Essex. Online Voting in Ontario Municipal Elections: A Conflict of Legal Principles and Technology?. In: Krimmer R. et al. (eds) Electronic Voting. E‐Vote‐ID 2019. Lecture Notes in Computer Science, vol. 11759, pp. 67‐82, 2019. Cite this full report as: Anthony Cardillo, Nicholas Akinyokun, and Aleksander Essex. Online Voting in Ontario Municipal Elections: A Conflict of Legal Principles and Technology? Whisper Lab Research Report, Western University, 2020. Available online: https://whisperlab.org/ontario-online.pdf Acknowledgments We are grateful to a many individuals in Ontario and beyond for helpful conversations and important in‐ sights. Special thanks to Jane Buchanan for her tireless effort searching municipal documents. Thanks to Joe Abley, Richard Ackerman, Tony Adams, Matt Bernhard, Kevin Creechan, Faye and Ron Ego, Josh Franklin, Nicole Goodman, Jared Marcotte, Beata Martin‐Rozumiłowicz, John Meraglia, Scott Richie, Matt Saunders, Cameron Shelley, Ken Strauss, Dave Suffling, Vanessa Teague, Anne Walkinshaw, Susan Watson, Uli Watkiss. Thanks to the Association of Municipal Managers, Clerks and Treasurers of Ontario (AMCTO) for giving us several opportunities to share the results of this study with their membership. Finally, we wish tothank the numerous voters and candidates of the 2018 Ontario municipal election who contacted us to share their concerns. This work is dedicated to the voters and candidates of future Ontario municipal elections. ABOUT THE AUTHORS Aleksander Essex Aleksander Essex is an associate professor of software engineering at Western University, and head ofthe Western Information Security and Privacy Research Lab. His research specialization is cybersecurity and applied cryptography, and he is an internationally recognized expert on the cybersecurity of electronic and online voting. Since 2007, his research has focused on developing and deploying advanced technological methods for evidence‐based elections, as well as identifying, reporting, and fixing vulnerabilities in existing electionsys‐ tems. In Canada, he has worked with federal, provincial, territorial and municipal governments to promote the development of secure election technology, standards, and practices. He is a member of the Election Verification Network, an international professional society of election technology experts. Anthony Cardillo Anthony Cardillo is a masters candidate in the Department of Electrical and Computer Engineering at West‐ ern University. His research focuses on computation on encrypted data using homomorphic encryption in the health data privacy setting. He is supervised by Prof. Essex. Nicholas Akinyokun Nicholas Akinyokun is a Ph.D. candidate in the School of Computing and Information Systems at The Univer‐ sity of Melbourne, Australia. His research focuses on secure multi‐party computation for evidence‐based elections. He his supervised by Prof. Vanessa Teague. 3 CONTACT INFORMATION For questions, corrections or more information about this report, please contact: Aleksander Essex Department of Electrical and Computer Engineering Western University London, ON, Canada, N6A 5B9 (519) 661‐2111 ext. 87290 [email protected] https://essex.cc @aleksessex 4 EXECUTIVE SUMMARY Despite Ontario having one of the largest concentrations of online voters globally, its use isnot governed by any federal or provincial cybersecurity standard. This has left many municipalities to make decisions largely in isolation, relying on private for‐profit vendors to set their ownbar for cybersecurity and public accountability. This report presents the first comprehensive study of the cybersecurity of online voting in the context of Ontario’s 2018 municipal election. Our key findings include: • The only comprehensive accounting of online voting adoption, vendor partnerships, and the extent of municipalities affected by emergency extensions to the voting period on election night, • Identification and discussion of cybersecurity incidents and non‐best practices observed in the election, including weak voter authentication, poor transparency and account‐ ability of election results, and a general lack of disaster‐preparedness, which resulted in nearly one million voters receiving an emergency extension to the voting period due toa misconfiguration in the online infrastructure on election night, • A study of ballot secrecy demonstrating that up to 50% of the online voters in the2018 election were uniquely re‐identifiable by their login credentials, From these observations, we question whether the democratic and legal principles ofthe Mu‐ nicipal Elections Act are being adequately protected by the technology deployed in practice and provide a series of concrete recommendations for municipalities and the province, including the development of mandatory minimum cybersecurity standards of online voting. CONTENTS 1 Introduction 7 2 Background 7 2.1 Online Voting in Ontario Municipalities ............................ 7 2.2 Legal Context ......................................... 8 3 Election Statistics 9 3.1 Initial Survey of Available Data ................................ 9 3.2 Data Collection Methodology ................................. 10 3.3 Results: Who Used Online Voting? .............................. 11 4 Key Observations and Findings 13 4.1 Disaster Preparedness .................................... 13 4.2 Voter Authentication ..................................... 15 4.3 Transparency and Accountability ............................... 16 5 Other Observations and Findings 18 5.1 Cybersecurity claims ..................................... 18 5.2 Voter Assistance in an Unsupervised Setting ......................... 23 5.3 Limitation of Liability ..................................... 23 5.4 Security of Voter Computers ................................. 23 5.5 Scrutineering in an Online Setting .............................. 25 5.6 Data Ownership ........................................ 25 6 Analysis of Voter Confidentiality and Ballot Secrecy 26 6.1 Re‐identifying Voters with City and Date of Birth ...................... 26 7 Recommendations 28 8 Conclusion 31 A 2018 Online Voting Use By Municipality 34 B Municipalities Declaring Emergency Voting Extensions 45 C Dominion’s Election Night Statement 46 6 1 INTRODUCTION In an era characterized by foreign interference in national elections, it can be easy to lose sight of the cyber‐ security of elections held at the municipal level. With much of our attention squarely focused on state‐level threat actors, we must occasionally remind ourselves of a more fundamental threat to our democracies: loss of confidence in the process itself. This idea is summarized expertly by the Supreme Court ofCanada: Maintaining confidence in the electoral process is essential to preserve the integrity of theelec‐ toral system, which is the cornerstone of (our) democracy. ... if (electors) lack confidence in the electoral system, they will be discouraged from participating in a meaningful way inthe electoral process. More importantly, they will lack faith in their elected representatives. Con‐ fidence in the electoral process is, therefore, a pressing and substantial objective.1 In this report, we study online voting in the context of Ontario’s 2018 municipal elections in which asmany as one million voters cast a ballot online. In the absence of almost any federal or provincial government standards or oversight, municipalities and their private for‐profit vendors are primarily left to set theirown bar for cybersecurity and public accountability in their elections. We present several observations about the election and question whether the associated practices align with the legal principles established in case law. We believe these observations will prove significant to municipalities, since, as the Chief Electoral Officer of Ontario recently pointed out: As the public becomes more informed about software, malware, and manipulation of technol‐ ogy data systems, they are increasingly interested in knowing exactly how election technology preserves the integrity of our electoral process and the confidentiality of their personal infor‐ mation [6]. This leads to the central thesis of this work: purposeful, malicious interference, or fraud is not necessary to undermine an election. Nor is the honest discharge of an election sufficient to prevent it. Givenenough time, a seed of doubt in an otherwise faithfully executed election may eventually grow to accomplish what even the best threat actor cannot. With the goal of preventing this outcome, we hope this work will serve as an encouragement to Ontario municipalities and others contemplating online voting to develop standards to address these issues. 2 BACKGROUND Canada does not offer online voting at the federal