Bill Hulet Editor

Here's the thing. A lot of important local issues are really complex. And to understand them we need more than "sound bites" and knee-jerk ideology. The Guelph Back-Grounder is a place where people can read the background information that explains why things are the way they are, and, the complex issues that people have to negotiate if they want to make Guelph a better city. No anger, just the facts.

Tuesday, June 20, 2017

Internet Voting in Guelph Municipal Elections

Stalin, who---alas---wasn't a total fool.
USA Army Signal Corps photo,
public domain, c/o Wiki Commons
"You know, comrades," says Stalin, "that I think in regard to this: I consider it completely unimportant who in the party will vote, or how; but what is extraordinarily important is this — who will count the votes, and how," from  Boris Bazhanov's Memoirs of Stalin's Former Secretary. As quoted by David Emery (trans. by Google.)  

Like many other people I was extremely happy to vote by using my computer in the 2014 municipal election campaign. I thought it was convenient and "hip". I wasn't totally happy with the outcome of the vote, but that's democracy and everyone else's opinion is ultimately as important as mine, so I didn't think much about the voting system after that.

But it turns out that Stalin had a better grasp of what is or is not important than I did. Fortunately, Guelph Council recently listened to delegates who were concerned about potential problems with electronic voting and decided to go back to the old system for the poll in 2018. But the vote was close and many of the people who wanted to keep the new system were very angry with the change back. As a result, I think that it would help readers to see an in-depth discussion of the issues at play.


Ballot Counting 101:

The two key points of fairly counting and recording votes are secrecy and transparency

A vote has to be secret because if someone else finds out how an individual votes they can use that knowledge to either bribe or threaten the voter into voting the way they want. The necessity for making votes secret might seem a "no-brainer". But in actual fact, the first votes in Canada were not secret. People voted orally. If this was done today, you would walk into a big room and publicly declare to everyone present whether you were voting Liberal, Conservative, New Democrat, or, Green. This meant that partisan operatives could do things like buy a beer for anyone for voted for their party, and/or, beat the crap out of anyone who voted for one of the others. Between the drinking and the intimidation, there was a lot of violence during early elections---which tended to drive down voter turnout for people who just wanted to avoid the entire hassle.

An army of men needed to keep the peace during an election.
Montreal 1860, photo by William Notman,
c/o Elections Canada

The way our modern democracy got around this problem was by creating a system where people are allowed to keep the way they vote totally secret. When we go into the polling station we are first identified as someone who is allowed to vote:  by being on the list of electors, and, not having already voted. Then you are given a paper ballot that doesn't have anything on it that can tie you to it. Then you take that ballot and go to a place where no one can see you vote. Then, you fold up the piece of paper in a way that keeps anyone in the room from seeing how you voted. Then you place that folded piece of paper into a box. Those pieces of paper are jammed together and then pulled out later to count. (I know, that this is how you vote federally and provincially, not municipally---but this particular system illustrates the concept, so I'm using it instead. More about the present municipal system below.)


People often say "If we can manage our bank account and buy items on-line, why can't we just as easily vote that way too?" This issue of secrecy is the key difference. In a bank there are detailed records and a history of transactions. Every bank transaction is carefully recorded and separated into different bank accounts because both the individual and the bank want to keep track of the money. In contrast, in a secret ballot election all the votes are tossed together and mixed up specifically to keep the origin of each individual vote a secret. So with banking if there is a problem and someone steals your identity and drains your bank account, you will know that this has happened because detailed records will say that the money has disappeared and who is supposed to have removed it. At that point people can back track from the message that came to say that it was removed. Investigators, for example, might be surprised to find out that elderly Aunt Matilda spent $1,000 at a sex shop in Durban South Africa and suspect that identity theft had taken place.  In contrast, if someone steals your vote there is no record of your particular vote being taken, because the origin of each particular vote has to be kept secret from everyone involved in counting it. For this reason, finding and tracing fraud in a secret ballot is a much more difficult task than in a bank account.


There's a lot of work that goes into researching and writing these articles. If you like to read in-depth stories that explain the "how come?" aspect of local issues, you might want to consider making regular micro-payments by subscribing through Patreon. Or, if you just like a particular story, toss something in the tip jar. Both are easy to do, look up the relevant link on the upper right of the page. 
Also, don't forget to share a story you like with your friends on social media! (See the easy-to-use buttons on the bottom of the story.) 


Some people have said that the bad old days of attempting to buy a person's vote or intimidate them out of voting for someone else are over, so we shouldn't be so afraid. "No one would try to do that sort of thing today!" This misses the point of the "Robocalls" incident.  To understand what happened then, people have to wrap their heads around what data-analysis and modern computer technology have done to elections.

Brian Mulroney liked Grapefruit!
Photo by  Joshua Sherurcij
c/o Wiki Commons
First of all, all the major political organizations have created sophisticated computer systems that keep track of everyone who has ever bought a membership, made a donation, or expressed an interest in a specific political party. Secondly, these organizations move heaven-and-earth to get their hands on contact information about specific "demographics" that they can use to their advantage. To cite one ancient example, if memory serves, I remember reading that Brian Mulroney helped fund his leadership bid by purchasing the Canadian mailing list of something my faulty memory records as "The Ruby Red Grapefruit Company".  (I don't know if the link provided goes to the actual company that Mulroney used, but this is the sort of business I'm talking about.) This company sold especially good citrus fruit through the mail. It wasn't a huge business, but it identified a certain segment of the population that had very large disposable income (the service wasn't cheap) and who weren't afraid of spending their money (the customers weren't cheap, either.) This was a "golden" group for a political fundraiser and Mulroney used it as a source for funding his leadership bid.
Mike Harris didn't like photo radar!
Flickr photo, c/o Wiki Commons

Things have progressed exponentially since the Mulroney era. Using systems like Google Analytics (the program that tailors the ads on the side of this website to the individual reading this story), it is possible to not only find people who have enough disposable income to support a leadership bid, but people who have a specific point of view about partisan issues. If you have ever bought an in-car radar detector, for example, you might very well support a political party that promises to get rid of photo radar detectors if it forms the government---which Mike Harris and the Conservatives did in a past provincial election. Designing a platform for well-financed political parties now involves dividing the population into individual "slices" that are highly motivated to vote on one specific issue, appealing to them with "designer policies", and then adding these different populations together to see if a party can get a plurality.

That's why political campaigns have ceased to be about trying to convince the entire public that one set of policies are good for the public interest. Instead, politicians try to shore up their core support (voters who will only vote for your party---the only question is whether or not they will bother to vote at all), and then add in a couple highly-motivated, one-issue constituencies (ie: people who rarely vote, but will for one particular issue that highly motivates them), in order to gain the plurality that will form a majority. It works like this.  Through polling, the Conservative party learns that it can count on the support of a core of 25% of the voters. Then it finds that if it supports a policy scrapping the gun registry, it will bring in 8% more voters. If they promise to get rid of photo-radar they can also get another 8% of the vote. Promise to force people on welfare to work at "workfare" instead of just cutting them a cheque, and you get another 4%. This pushes your projected vote count up to a total of 45%. Since the Liberals core vote is also 32%, and the NDP can count on 15%, plus the Greens will get 8%, this means that the Conservatives will win a "plurality". And because we have a "winner take all" system called "First Past the Post", the Conservatives will take over Parliament and control the country---even though a majority of people voted for parties that opposed the Conservatives.

Brad Trost, gave away the database
and was fined $50,000 by the party.
Campaign photo, c/o Wiki Commons
These computerized lists of supporters and potential supporters are so important to political parties that you could argue that they have become their most important asset. As evidence for this fact, consider the following. In the last leadership race for the Conservative party of Canada all the candidates were given access to the membership database. Brad Trost was accused of giving the membership list to the National Firearms Association. The party proved that he had done so by planting different false names and contact info in each individual iteration of the list that was given to each candidate. (This is called "salting" the list.) The Firearms Association used the membership list Trost gave him to do a mass mailing and when the fake names and addresses received their propaganda, the Conservatives knew which candidate had given away the "family silverware". Not only was this breach of security considered important enough to put in a tracking system,  Trost lost a $50,000 security deposit for breaking the rules. Obviously, the Conservatives really want to protect their database!

This sort of fine-grained tracking of voter concerns was impossible before the advent of computer technology. Indeed, it has gotten to the point where a political machine can not only afford to keep track of supporters, it can now even keep track of people who vote for other political parties. And this has weakened the secrecy provided by the paper ballot system that I described above. And people supporting the Conservative election campaign used this information. They didn't send thugs out to beat up people who were going to vote Liberal, NDP, or, Green---like in the bad old days---but they did set up a robot dialing system to call these people on the telephone. And the message that was sent told them that the place to where they were supposed to vote had been moved at the last minute. The implication being that if the person went to the wrong place and found out that there really wasn't a poll there, they wouldn't bother to vote all---which would rob the other parties of support. In addition, other robocalls were made to people who were identified as core Liberal supporters which were purposely annoying and were obviously designed turn people off from the election to the point where they couldn't be bothered to vote at all.

The important point to learn from the Robocall incidents is that "it can happen here" and that there are members of major political parties in Canada who have malevolent intent and will use illegal means to win elections. We simply cannot rely upon the goodwill of politicians to safeguard our democratic rights. We also need voting systems that have robust mechanisms that prevent abuse---no matter what the intentions of political operatives.


The next issue is the security of the ballot box. It is also possible to manipulate the counting procedure---by changing the ballots in the boxes before they are counted (ie:  "stuffing the ballot boxes".) The way that the existing paper-based system gets around these problems is by making sure that the processes involved are as transparent as possible. The Canadian and Provincial systems do this by allowing for the presence of scrutineers, who are appointed by the political parties running candidates in the election. Their job is to make sure that no "hanky-panky" takes place during the mechanics of voting, collecting the ballots, and, counting the votes. Since there are scrutineers from all the major, competing parties, the chances of pulling off a fraud involving stuffed ballot boxes or fake voters is almost non-existent in the current paper-based system used federally and provincially. The paper system that Guelph uses municipally is a different issue because it uses optical scanners to count paper ballots. More about this later on, after I've dealt with the issues raised by the sort of computerized voting systems that were used in the last municipal election, and, were rejected for the next one.


The most important problem with Internet voting is that it destroys the transparency that keeps the paper balloting system honest. Ultimately, every time you use a computer or reduce a pile of votes to something like a thumb drive, you reduce things like counting and protecting the ballots to a "black box" that no scrutineer can observe. I've found a YouTube video by Tom Scott at the "Computerphile" channel that explains in detail the problems with electronic voting systems (ie:  not just the Internet) far better than I could, so I'm just going to let him do it for me:


Can't afford to pony up some cash to pay for info that helps make sense of what's happening in your community? That's OK. There's another option to support "The Guelph Back-Grounder". If you have an ad-blocker, turn it off. Click on the ads on the web-page. Unlike the old newspapers that were paid just to run an ad, web-based advertising is based on how many people click on the hyperlink and go to the actual site. There's no danger, as Google Ad-Sense is very good about filtering out bad sites that load malware. Almost none of my readers currently do this, but the ones that do have dramatically increased my ad revenue---by 500%---clicks can pay from twenty-five cents to almost a dollar each! So go ahead and click away. 


Let's just look at one of the simplest ways (in the sense of not requiring computer hacking---which to understand requires expertise that most people lack) that an on-line voting system could be manipulated. In order to vote on-line, each voter has to be given a pin number to identify themselves. Usually this is done by mailing in a card to the household on the list of eligible voters. Whomever gets that piece of mail now has the name and pin number that is necessary to vote. In the paper system crooked politicians cannot use this information to buy a vote because there is no way that they can tell if someone they pay really does vote the way they want. And they can't vote themselves, because impersonation is too difficult because of the need to show ID.  But because all the Internet voting system requires is the name of the voter and her pin, it is now possible to buy a vote off someone simply by buying that name and associated pin.  

Of course, there is the problem of how someone would be able to buy enough votes without being caught doing so. It is important to remember that modern marketing analytics allows businesses to select very carefully-designed "slices" of the electorate. This means that a careful criminal would only seek out races where there is a very slim difference between winning and losing. Modern election campaigns can identify these races through "in house" (ie:  the numbers that don't end up in the news) polling data. As little as a hundred votes can easily make all the difference in these ridings or wards.   

If an organization can separate out people who are going to vote for another party and then have the confidence to send them to the wrong address to vote, then it probably can find a fraction of the population that would be interested in selling their votes---if the price was right. The Internet is filled with people doing shady activities, for example, and a lot of businesses are willing sell their mailing lists or have databases that are easily hacked. 

This not only can identify people who have no qualms about selling their vote, it also opens up the option of blackmail. So let's say you are a criminal in Russia who has hacked the databases of several companies that sell marijuana seeds and drug accessories. Let's also say that it has the employee lists for businesses (like the Toronto Transit Commission) that have a policy of drug testing their employees and firing anyone who tests positive. Then you do a Boolean search (a ridiculously simple task nowadays) to show which people end up on both lists. Then you have a list of voters that you could contact during an election that you could suggest that if they don't want an anonymous letter sent to their bosses saying that they take drugs, they might want to email in their pin number. There are lots of other ways to generate such a list---for example, years ago someone hacked the membership list for Ashley Madison (a web service that helps people cheat on their spouse.) A criminal organization needn't do all this work themselves, as these databases are for sale at on-line "thieves bazaars" on the "Darknet". 

To sweeten the pot, the gangster can offer payment too---in the form of Bitcoin. Lest people think BitCoin too esoteric, there are now even ATMs that you can use to convert them into Canadian currency. At one time Guelph had one, although has since been sold and moved to Sault Saint Marie. The point is, however, if you have Bitcoins, you will be able to exchange them for Canadian money---no questions asked.

Now this fictional Russian gangster has developed a database of voters that can be potentially "bent" in different ridings and wards across the country. If he is smart, he won't use this list too often. Instead, he will wait until someone has a close race and might want to use his service. He might have a news search bot that looks for indications of close races, then do a quick analytics of the candidate and his organization to see if it might be interested in his services. Then he might place a discrete inquiry. He might even look out to other criminals who might be interested in buying an elected official that they can blackmail at a future date. They would work as the "middle-man" who could get the "election bots" out there to win the race for "their guy".

When the out-of-country gangster has a customer, he can harvest votes using several methods. He could just hire someone in the local constituency to vote for him at places like public libraries. More likely, however, he'd just use a "Virtual Private Network" (VPN) to make it look like the votes were originating in the riding. This is the same process one goes through to allow you to watch American or British Netflix from Canada. Businesses like TunnelBear do this on a routine basis. By working out-of-country and paying with Bitcoin, a criminal can reduce his risk of both detection and prosecution to almost nil.

Finally, as the Robocalls story shows, authorities are extremely reluctant to overturn an election result---even if there is clear evidence of hanky-panky. Most people over-seeing elections are career bureaucrats who are directly involved with career politicians. Both groups have an enormous vested interest in preserving the status quo. Overturning an election would dramatically lower their authority---and no ambitious man willingly gives up power.


Most readers at this point will probably be guffawing. This all sounds absurdly complicated. Yes, it is. But so is researching, writing, desk-topping, and, distributing this on-line magazine. Think about how much difficulty would go into tailoring the advertisements on the side of this article to the individual people who are reading it, then deduct micro-payments from those companies, add them up in my account, then directly deposit the money in my credit union account. Then think about the difficulty involved of keeping track of small monthly subscribers or one-time donations that go to me. But because of modern computer technology all of this is not only navigated by an amateur, but it is automated to the point where it is either free or almost free for the small business person. This is an absolute revolution in the way computers can master enormously complex human systems. And this is all something that has happened in a very short period. Indeed, it's something that simply couldn't have been done five years ago. The same can be said about the scenario I've outlined above.

Moreover, contrary to what the casual reader might think, it makes more sense to do this on the municipal level than the provincial or federal. There is no other level of government where an individual elected official has as much power to make or lose money for a business than a city Councillor. There are three hundred and thirty-eight MPs in Ottawa and one hundred and seven MPPs in Toronto. They are also answerable to a formal party structure involving nomination meetings, whips, etc. There are committees, and a complex bureaucratic structure looking over the shoulder of Parliament to ensure that no "hanky panky" takes place. Guelph has twelve councilors that are elected free of any responsibility to a party. They can vote any way that they want. And many votes on contentious issues are very close.

Moreover, the things that Council votes on are really worth a lot of money to a business. Think about the number of condo towers that the city has to vote on, and the various issues involved. The difference between a profitable building and a hugely profitable one can be whether or not a developer can put an extra ten stories in the design. What if Council decided to over-ride it's own official plan and allow a big Greenfield development? Given housing prices, that would be the equivalent of a "gold rush" for developers. And there are already people on Council that would probably vote for more suburban sprawl for ideological reasons---could one or two extra votes allow that multi-million dollar development go ahead? Maybe a couple hundred thousand thrown to "the cyber mafia" would turn out to be a good investment.


One other point that bears thinking about. I used the example of the Russian gangster for a very good reason. The current Russian government has very close ties to organized crime and uses those connections to further its foreign policy. (This isn't such a strange idea. The CIA used its connections to American organized crime in it's attempts to assassinate Castro. US Naval Intelligence also used the mob to help in WWII.) Since subverting the electoral processes in Western democracies seems to be a tool for Russia's current "asymmetrical warfare" against NATO, it would make sense for the groups like the GRU (the Russian intelligence service) to encourage and even support this sort of activity. To succeed, all the Russians need to do is create chaos in our societies, not get a specific result. This means that all they really need to do is create the tools, spread the knowledge, and, encourage criminals to do the rest. It doesn't even matter all that much if the the criminals get caught---if your goal is to discredit the democratic system. With the large sums of money at stake in municipal planning decisions, it really doesn't stretch credibility to say that it could be worth someone's while to get one or two different faces on the Guelph Council---especially if a GRU subsidy has created a robust industry to do it.
Communications Security Establishment
It supports paper voting!

Indeed, the Canadian Communications Security Establishment recently issued a paper on this issue. It suggests that future Canadian elections will probably be targeted---if not by the Russians, by other private or state actors. One point that should be mentioned, is that the report states that the actual voting process itself (ie:  the hypothetical scenario I've outlined above) is immune to attacks because on the Federal level Canada still uses a paper-based system. And thanks to the recent vote on Council, so does Guelph.

It loves computer voting!
Unfortunately, the USA cannot make the same claim. A large part of the current chaos that is currently raging in Washington is the result of revelations that Russian cyber-criminals seem to have hacked into computerized election machinery used in 39 states. While it is true that the US uses an absurdly decentralized system to manage the process of voting, it does show that our Canadian system of apolitical, centralized bureaucracy serves a very useful purpose. Moreover, our municipal elections have a lot more in common with the US than federal or provincial systems. We do not have a well-oiled machine that protects voters from the Russian mob---or dumb politicians who refuse to listen to experts. Instead, we just have the city clerk's office.


Do you manage a local business, community organization, riding association, union, etc?  Want to get your message out to the fraction of the public that is fiercely local, committed to their community, and, "plugged into the local scene"? Then advertise in "The Guelph Back-Grounder". Provide me with some artwork and I will incorporate your ad in the body of this text---where no ad-blocker can hide it. Rates are affordable, and I'm willing to accept barter, time hours, provincial "in-kind" tax receipts, and, so on! For more info, email me:


So what exactly does Guelph have to ensure that its elections remain secure?

I emailed the Clerk's office with some questions and got a prompt reply from the city Clerk and Returning Officer, Stephen O'Brien. I asked him some questions about how votes will be recorded during the next municipal election.

First, Guelph elections involve optical scanning machines instead of a hand count. (This is why I used the provincial and federal systems to illustrate the point about transparency to prevent ballot box stuffing.) In effect, what people do municipally is make a mark on a paper ballot, place it inside a special cardboard sleeve that hides your vote from anyone else, and then the ballot is handed to an election worker who slides the ballot out of the sleeve into a machine that then reads the ballot and puts it in a box where it can be stored on the chance that a recount is needed.

Any concerns that might be raised about the transparency and security of the process usually arise at the point the ballot gets read by the machine. That's because the machine is a programmable "black box". The question that arises is "if we can can the programming on the reader, why couldn't it be programmed to ignore or switch some of the votes?" For example, perhaps a machine could be programmed to switch every third vote for candidate Pediwhistle to candidate Optiprime. And since the machine is a black box, no scrutineer is going to have the opportunity to see votes being switched---all they can do is assume that everything's OK.

A Sequoia Co, Optical Scanner. Note the scanner is the bit on top
with the ballot box underneath. That is where the paper ballot goes after it's been read.
Photo by Douglas W. Jones, c/o Wiki Commons 

Leaving aside the issue of whether or not that sort of programming is possible---since neither you nor I have the expertise and knowledge to be able to make that assessment---I asked O'Brien why the scanners have to be programmable (like a computer) instead of just being a simple counting machine-(like a calculator.) He said that the city doesn't actually buy the optical readers, it leases them from a private company on an election-by-election basis. The last two times Guelph has used them, for example, the city used Dominion Voting Systems machines. (The city always puts out a tender for voting systems, as this is best practice.) The idea is that the company can use these machines in other elections besides the Ontario municipal cycle. And the company provides machines for union elections and governments in the USA and as far afield as the Philippines and Mongolia.  Each of these different groups uses slightly different systems to elect people, and it is a lot cheaper to change the programming than to provide different classes of machines for each type of election.

How this works out in practice is as follows. One type of election doesn't allow a person to vote more than once. Others, like Guelph, allow people to vote twice---for two different Councillors per ward. If Guelph switches to a transferable vote system---like the province recently allowed for under law---then voters would vote for as many candidates as are running, but use a different rank for each. (More about this in a future post.) If each type of machine only allowed one type of voting, each municipality would probably have to buy its own voting machines, which would be really expensive.

The reason why a slight majority on Council plus the Communications Security Establishment like the optical scanner system is for the following reasons.

First, the existence of paper ballots allows for the opportunity for a recount. It it were the case that concerns were raised about a scanner being hacked in order to electronically "stuff the ballot box", the paper ballots still exist to check to see if all the ballots were read properly instead of switching some people's votes from one candidate to another.

Secondly, the use of paper ballots allows for random audits of machines to see if they are working properly. Since any effective fraud would either involve a very close race (which would usually cause a recount anyway) or widespread fraud involving multiple machines (because of multiple polling locations), any random testing regime would probably detect fraud. Indeed, when I talked to O'Brien about this, he said that the city tests each machine before the vote, and then "locks" each machine and places it in a secure facility before they are distributed to polling locations.

Is the system perfect? No, no system is any better than the people who run it. If the machines can be hacked, then perhaps that could be done by someone on the "inside" using whatever access the machine allows---either through a lan wire or a thumb drive. But the optical reader system itself is amenable to very simple safeguards that could---at least in principle---be used to protect it. For example, the machines could be hacked after the initial test, but if they were then tested after the vote, presumably that hack would be found. If the hack was time operated, so it turned itself on after the initial test, then shut down after the vote, then it wouldn't be found by a final test too. But then the city could do randomized tests during the vote count itself.

Unfortunately, a lot of issues in human society come down to an arms race. The police become better at catching criminals, so the criminals become better at hiding their activities. The important point is to level the playing field so both sides have a relatively equal chance at finding out what the other side is doing. If the city were using electronic voting machines or using Internet voting, then there would be no paper ballots to use to double-check to see how the system is operating. The important point is to not tilt the playing field and leave the city trying to play without a goalie. I don't want to give the Russian mob an opportunity to score on an empty net. Do you?


One last point where I was pleasantly surprised. If a candidate breaks the rules governing election finances during a municipal election, the ultimate sanction is the City Council itself. And since it's ultimate authority is based on that election, it is a historical fact that Councils in Ontario are extremely reluctant to call elected officials to task for breaking the financing rules. I assumed prosecuting individuals that break the laws governing voting would similarly be at the discretion of Council. O'Brien told me no, that isn't how it works as set out by provincial statute. If he believes that there is evidence of vote tampering he passes on the information to the police, not City Council. Since they answer to the province through the Police Board, they are independent in a way that even Elections Canada and Elections Ontario are not. This means to me, that in this way at least, our municipal elections are more secure than the other two levels of government.  

No comments:

Post a Comment