- Date published:
3:45 pm, October 9th, 2016 - 139 comments
Categories: electoral commission, electoral systems, Politics, vote smart - Tags: local government, Malcolm Alexander, online voting
As a professional computer programmer and someone who has been involved in politics for decades, I’m always amazed at fools like this idiot Malcolm Alexander talking about something that they clearly don’t understand the technicalities of.
Local Government New Zealand chief executive Malcolm Alexander said it was time to bring in online voting.
Voter turnout at local body elections had plummeted 15 per cent since 1989, when postal voting replaced voting day, Alexander said.
“We’ve got to ask ourselves, is postal voting fit for purpose? There’s no silver bullet, but we are going to look at online voting quite hard … it’s the way of the future, particularly in engaging youth.
“Postal voting doesn’t ring their bell. It’s like asking a Ferrari driver to ride a horse.”
Security had to be dealt with, but others, such as banks, had managed it, Alexander said.
Yeah right. It is pretty clear in this and the rest of this bozo’s waffle, that he really doesn’t understand the fundamental issue. That of responsibility and liability.
The banks primarily deal with it not accepting any major liability. Go and read the fine print. They run a policy of acceptable risk and following some pretty low security standards to legally prove their due diligence. Most of the liability for breaches at the front face of their systems fall to the customers.
Think about that. This is an insurance model. It means that they accept that there may be serious breaches of security but the risk level to the banks is acceptable. Most of those breaches will be because people give others their pin numbers or credit card details or login details. But the banks aren’t liable for those types of security breaches. Sure they have back-end breaches as well, but they are few and far between. But they also have years to amortise the cost of improving their security systems to deal with each case.
For the banks, the risk of a small fraction of breaches over a year or two, that the bank winds up paying for, are way cheaper than spending a lot of money to reduce the probability of breaches. This is why the way of expressing security levels in standards is mostly expressed as being the cost of assembling the team and skillsets to crack through the security.
Now translate that same security model to online voting. Few of these things apply. Voting is something that happens continuously like banking, instead it has punctuated periods of activity. It doesn’t have large budgets – something like $50 million in an election year. And above all, most elections are decided by relatively small numbers of people when political parties are involved.
In some shape or form in a online system, the access details have to be sent to about 3 million people, and then they have to login to a system to vote. It makes it pretty easy collect or even to deduce those details, just as it is in any postal ballot. My apartment block has had a score of local postal voting letters on the foyer board for previous tenants over the last couple of months. A post out of the logins for an online system would require the same.
But there is a bit of a level of inherent security in the postal vote system. While I’d bet that some people voted for others, it is hard to get or forge paper well enough to tip results. And given a complaint by a frustrated voter, it wouldn’t be hard to track where and probably who has been diddling the postal votes.
However given enough details of logins, I’m pretty sure that it wouldn’t be hard to figure out an algorithm that would give a reasonable chance for getting logins. That is because the Electoral Commission would have to balance off the complexity of the login against the probability that people will fail to enter a 25 character pass code. And it really isn’t hard to make lots of untraceable access to the net. I can see at least 90 wifi routers with my 0.5 cm aerial from my workstation just waiting to cracked into, and more than 30 of them even reveal their SSID in public. This is kiddie level hacking.
But hey, you don’t have to bother doing even that level of work. Because typically elections are won or lost on the basis of just a few thousands of people. So just accessing the firmware of the multiplicity of switches or just getting access into the lines would do. Just find areas that vote the ‘wrong’ way and disable their net. This can be done with finesse like disabling access to particular pages on the net or without finesse with some bolt-cutters to take out lines and cell points.
Then of course there are people like me. In the last 26 years I’ve been professionally working as a computer programmer on everything from programming firmware through to building netapps and working on payment systems. I do a lot of network systems for everything from firmware based radio networks to running application across dispersed cloud systems. I’m pretty sure that if I found the inclination to ‘test’ an online voting system, I could shift the results. I’m also pretty sure that I wouldn’t be caught at it. Besides, there is nothing to really stop me offering public information about weak points for anyone to read.
These days there are a lot of us out there with skills, and contrary to popular opinion, software engineers do tend to have quite differing political opinions. But I suspect that one thing that most of those of us around the net space would probably agree on is that online voting would be fantastically dangerous. It is just so damn easy to make it fall over, and that is before you start to look at ways to do it maliciously.
But anyway, voting rates for postal voting and online voting for young voters is still going to be crap. Look at the young recently graduated engineers that I work with.
They largely didn’t seem to vote in this postal election despite wanting to do so. I got tired of hearing about how they were going to vote for Chloe Swarbrick. But when I queried them on Friday after postal voting closed, most of them still had the voting papers in the car on Friday, or hadn’t picked the papers up from a flat they lived in two years ago, or hadn’t gotten to the family address in time. They same things I have been hearing from similar young voters for the last 25 years. Changing to online voting isn’t going to change that, they’d still have to get those logins from the post
Remember these are the engaged young voters. They actually knew at least one person who they’d vote for. Doing it online is unlikely to change those litanies of personal negligence 😈
Personally I think that the real solution of falling turnout in elections is pretty obvious and quite simple. Look at the 74+% turnout in general elections when the actual number enrolled is far higher than in local elections. Or the higher turnouts in any walk-in election before postal voting was brought in. It is also pretty safe security wise. There are simply too many people involved to do a seriously widespread attempt to distort the results. Moreover, it is a lot easier to identify people and to charge them legally. Anyone who is involved in computers at any depth knows exactly how hard a skilled cracker is to trace.
So do something simple. Revert to only having walk-in vote that minimises the risk levels because a lot of people can see what is going on. Combine it with the general election to reduce costs. Make it the one day you go and walk in and vote, and I’d expect that voters will do so.
I suspect even some of the young engineers that I work with would get around to voting then. Especially if they can special vote on election day.
It’d be a damn sight cheaper than any online system – even before I and my ilk turn our attention to improving the online security by testing it to destruction.