The opportunity to vote in-person for the PEI Plebiscite on Democratic Renewal has passed. Today, November 7, is the last opportunity for Islanders to cast their vote online or by phone. Shortly after the 7PM deadline, the final results will be reported to the speaker of the provincial legislature before being released to the public.
The question is “How can we guarantee that the reported results are accurate?” For several federal elections, I have served as a candidate’s representative (commonly referred to as a “scrutineer”), volunteering my time to sit at the polling station during election day, witnessing that the ballot box is empty when assembled in the morning, verifying that no one starts stuffing it with ballots, and watching the count at the end of the evening. I keep my own record of the results at my polling station and do compare them against the official results published by Elections Canada to ensure they match. They always have. It is because a multitude of citizens, representing different candidates, verifying different polling stations, set aside their time in this way that we can guarantee the accuracy of election results in Canada.
Unfortunately, this opportunity is not available for the results that will be released this evening. Advocates of any of the five choices are not permitted to watch the counting of even the paper ballots in this plebiscite. My own request to do so was declined by Elections PEI Chief Electoral Officer Gary McLeod. Instead, an audit team consisting of four accomplished election officials from across the country, all of whom are being paid by Elections PEI for their effort, will review the results.
The ones actually counting the votes will be two for-profit companies called Simply Voting and Election Systems & Software (ES&S), based out of Montreal and Omaha, Nebraska, respectively. It is possible for the audit team to recount the paper ballots, cast on November 4 and 5, to verify that the vote tabulating machines worked correctly. It is not possible, however, to effectively recount the votes cast over the Internet or by phone. The only records of online votes exist in the servers owned by Simply Voting Inc., which is a big problem for two reasons.
The first issue with internet voting is the surrendering of ballot secrecy. In order to vote, you will need to authenticate using a personally identifiable combination of your date of birth and PIN number. The result is that the administrator of the system has visibility of which electors voted for which options. Whether this association is stored in the system database is a question that Mr. McLeod did not answer when I asked. Note that, when voting in-person, the poll clerk does not find out who you voted for behind the screen. The simple act of dropping your paper ballot into a common box is an underappreciated way of breaking the association between your vote and your identity.
The second issue with internet voting is that the results are not independently verifiable (without publishing the list of how each elector voted). After an elector votes online, a transaction record will be created, with a time stamp, logging their selection. The system can show them a verification screen but whether the logged value matches that selection is a different story. Programming code error, a malicious insider, or an external hacker could manipulate the log in an unwelcome manner. The audit team can manually count up the votes in the log to ensure that the totals align but they cannot verify the integrity of the log without calling up the voter to ask them if the recorded value matches the selection they chose – or if they actually voted at all. The fact that a marked ballot cannot be changed while inside a ballot box is an underappreciated attribute that ensures votes can be counted (and re-counted) as cast.
If anyone doubts whether it is possible for an external hacker to change votes without even the knowledge of the system administrator, they need look no further than the 2010 election in Washington, DC. When internet voting was piloted there, a group led by Professor J. Alex Halderman of the University of Michigan was able to gain near-complete control over the servers within 48 hours. They revealed secret votes, changed them as desired, and even viewed the physical server room from its webcam. Their escapade was undetected and would have remained so if they didn’t add the University of Michigan fight song to the public user interface.
Is it possible that something similar happened in the PEI plebiscite? Even if a security breach was detected, would it be in the interests of Elections PEI to publicly admit it? What if PEI changed its electoral system based on the outcome of this plebiscite, then learned years later that it had been compromised? I assure you that I, myself, made no attempt to hack in. The problem is that you shouldn’t have to take my word for it.
Let’s not abandon the merits of in-person elections and independent scrutineers.