Establishing a Legal Framework for E-voting in Canada
3.0 Background, Context and Literature Review
This paper explores legislative issues related to alternative voting methods in both controlled as well as uncontrolled voting over the Internet. An example of a controlled voting environment would be a stand-alone voting kiosk (not connected to the Internet) run by election officials at a specially designated polling area. Uncontrolled e-voting is essentially voting by a home or public computer using an Internet browser or a specialized application that securely transmits a ballot over the Internet.
In developing a legal framework for e-voting, one should be aware of how different types of e-voting work, what constitutional requirements may exist in Canada, what other jurisdictions experiences are with e-voting and what international guidelines currently exist. The following is a summary of the background work that was used to formulate this paper's recommendations.
E-voting in an Uncontrolled Environment (Internet Voting)
Mechanics of E-voting in an Uncontrolled Environment
An uncontrolled environment includes the home, where a voter uses a personal computer to cast a ballot that is transmitted electronically to a server operated by the government.Footnote 2 Similar to mail-in ballots, in an uncontrolled environment, there is no way to ensure that a voter's privacy is not compromised, potentially facilitating bribery or intimidation. Unlike with controlled voting, election officials do not have the ability to test the voting device (the user's computer), potentially increasing the risk that malware or a virus could manipulate voters undetected. These programs could alter individual votes or falsely indicate that their vote had been uploaded to a server (Beaucamps et al. 2009). Similarly, there are worries that counterfeit websites or fraudulent emails may mislead less technically savvy voters into thinking they had casted a vote (Geist 2010).
With Internet voting, the voting software is installed on a server or across multiple servers at secure locations, and voters cast their ballot either by downloading a secure voting application from the elections administrators' website, which then sends an encrypted vote over the Internet, or by logging directly into a secure web portal to vote. Also, some vendors may provide applications that can run on smart phones and tablet computers. Uncontrolled systems are often used as an alternative to postal voting, allowing voters who will be outside a voting area or more than a certain distance from a polling station to cast a ballot from any location. By automating counting and avoiding having to rely on international postal services, electronic voting can reduce the logistics in enfranchising voters (Goldsmith 2011). For instance, France allowed all citizens who lived overseas to vote online in its 2012 parliamentary election. Some jurisdictions, such as the Australian state of New South Wales, have implemented this system to assist individuals with disabilities who may have difficulty getting to the polls or who live more than 20 kilometres from the polls. Others, such as Estonia, have implemented Internet voting to supplement advance polls, allowing anyone to cast a ballot from home, provided they do so a few days prior to the election.
Before voters can cast a ballot, they will need some way to confirm their identity. This can be done through biometric systems or multiple factors, such as a combination of voters' personal information with a passcode issued by the electoral authority (Goldsmith 2011). Estonia, for instance, mainly relies upon a national identify card that is swiped like a credit card on a card reader that can be hooked up to a computer.Footnote 3 The state of Gujarat, in India, sent out election personnel to manually confirm voter identity for a small fee, and voters were then given a biometric card and personal identification number (Urban Development and Urban Housing Department Orders, rule 6A3). New South Wales allowed voters to register over the phone or online, but they had to already have their name on the voting register. Some implementations in Norway and Switzerland involved sending voting cards to all registered households and allowing voters to log onto the system using a personal detail such as a birthday. For security, passwords were provided by a secondary method.
Most of the systems provide officials with the online results that they then combine with traditional results, although Australia requires the ballots themselves to be printed and then counted at the same time as postal ballots.
Advantages of E-voting in an Uncontrolled Environment
Voting through the Internet presents far more advantages than using electronic methods as an alternative to paper balloting at a controlled site. It may encourage participating in the balloting process by many voters who are currently discouraged by the time and inconvenience of having to attend at a physical location. Rural voters may find the travelling distance to the polls to be a hardship; some voters may have very little time to spare given their occupational or domestic responsibilities. Some may have responsibilities to care for children, or persons with illnesses or the elderly, and not wish to leave those in their care; others may themselves be tired, ill or physically disabled, and find the journey to the polling station difficult or impossible. Internet voting may be a means of increasing overall participation rates and in some respects increasing equality of access.Footnote 4
Risks of E-voting in an Uncontrolled Environment
Public commentary on Internet voting includes perspectives that are highly sceptical, often including assertions that the inherent technological risks simply cannot be overcome.
Proponents of Internet voting have sometimes pointed out that there is a long track record of using the Internet for sensitive transactions in the financial services area. The material interests of those involved in these transactions are high, and the incentive to fraudsters is substantial. Yet electronic systems of registering and transmitting financial transactions are routine in Canada and internationally.
Sceptics respond that there are major differences between the commercial and political contexts (Smith 2006).
With financial transactions, institutions enhance the security of transactions by insisting that users identify themselves in a reliable manner, and record and maintain the user's identity in connection to the transaction. With voting, by contrast, there is a strong emphasis on secrecy. In paper balloting, no permanent record is maintained that links an individual to a choice.
Additionally, sceptics of Internet voting might also argue that the user has a choice of whether to use technological or traditional means with financial transactions. The consequences of failure or tampering are primarily a matter for the user and financial institution to resolve, and may have little or no effect on third parties. In elections, however, a choice is being made about who will exercise government power over the entire community. The consequence of system failure could affect everyone, including individuals who wished to register their own vote only by traditional methods.
With financial services, the user also has a choice about which financial institution to use; a client can steer clear of those whose record of technological reliability or security seems dubious, or whose system seems unduly time consuming or difficult to use. The voter who is unhappy with the technological options offered by Canada's electoral system does not have the ability to switch to another provider of voting services.
The point can also be made that financial transactions take place many times a day, and the individual user is likely to engage in a number of transactions in a given year. As a result, both the institution and the user can identify problems, learn from them, and acquire considerable facility in using technologies. By contrast, federal general elections are an infrequent event in Canada – one every three to five years is typical – and there may be far less opportunity to incrementally observe both the objective features of a system and the facility of clients and institutions in operating them. With a limited window of usage for deployment and real-world testing, there may be room for vulnerabilities in the server or potential for collusion or manipulation by insiders who could attempt to modify votes by hiding program-altering code within a server (Jones and Simons 2012).
It can be further argued that the consequences of failure can be better managed in the financial services context. There may be a limited amount of malfunctioning of fraud in a large pool of transactions. When problems are detected, the user can be compensated by the institution, at least if it is not the user's own fault. The costs of compensation can be drawn from greater revenues or the cost savings achieved by operating the electronic system in general.
In the electoral context, a system failure, or perceived failure, might at least temporarily, or for a number of years, result in state authority being exercised by office holders who have not legitimately earned it, or might erode public confidence in whether authority is legitimately held. As one of the critics of Internet voting pointed out, "All an attacker has to do is to create the impression that something went very wrong. The losing candidate will do the rest" (Rubin 2007, 2). Not all of the risks involve actual manipulation or problems with the integrity of votes cast. A denial of service attack, such as happened against the New Democratic Party (NDP) in March 2012 when online voting in its leadership contest was slowed for several hours, risks disenfranchising voters if it can temporarily overwhelm the system and render it unusable for authorized voters (Geist 2012).
Proponents of Internet voting might point to case studies where it has been successfully used. A large part of this report will consist of canvassing the lessons of experience with voting in other countries or at the local level within Canada. There appear to have been some successes, including national-level voting in Estonia, and local-level voting in Norway and several locations in Canada, including Halifax and Markham, Ontario.
There is also a potential social inequality objection to Internet voting. While proponents might argue that it might reduce the difficulty of voting at a polling place for a variety of citizens (e.g. persons in geographically remote locations, those with care-giving responsibilities and persons with disabilities), it might exacerbate inequality in certain respects. The literature on the Internet speaks of the "digital divide" – a schism in society between those who have access to the online world and are adept at using it, and those who may lack access (due to affordability or location) or who may be uncomfortable with it. The ranks of such relatively disadvantaged individuals may disproportionately include members of groups that are entitled to protection from discrimination under the Canadian Charter of Rights and Freedoms and the Canadian Human Rights Act. Communities not equipped with Internet service may include remote Aboriginal communities. Those without the financial resources to access the Internet may disproportionately include individuals such as recent immigrants, the elderly or again, Aboriginal communities.
The concept of "discrimination" under the Charter and the Canadian Human Rights Act, it should be emphasized, is not confined to intentional adverse treatment on the part of the state. There is a duty to avoid "adverse effects" discrimination; to avoid enacting and implementing laws and measures that have the practical effect, even if unintended, of placing disproportionate burdens on bases that are prohibited by the Charter or the Canadian Human Rights Act (e.g. ethnicity, age, gender). Public authorities have a responsibility to accommodate, to the point of undue hardship, the needs of those who might otherwise sustain burdens on such impermissible grounds. When considering e-voting, authorities have the responsibility to ensure that when drafting a legislative framework, even if unintended, the practical effect of the framework should not be to discriminate against any voters.
Each of the challenges presented by sceptics must be taken into account in crafting a legal framework for Internet voting.
With respect to the technological objections, attention must be given to the potential for hardware malfunction or software tampering, to ensure that either can be detected in time to prevent harm before balloting is concluded, or at least that corrective measures can be taken afterwards.
With respect to the concern over loss of voter secrecy, means may be considered to lessen or overcome the risk, such as permitting a voter to use remote means to cancel and replace an earlier vote (when the voter might have felt under observation or pressure) or to vote on the regular election day and replace an earlier electronic vote with a paper-based one.
With respect to concerns over equal access to the ballot, consideration should be given to measures that will increase access to the necessary technologies, such as permitting voters to vote by relatively low-cost means such as cell phones or tablets, rather than desktop computers; to permit voters to use publicly accessible computers to vote, such as those that might be maintained at libraries or government offices; and to provide support for voters who are less familiar with technology, such as providing user-friendly means of voting along with clear and simple instructions, and access to phone help lines.
Even though one can look at technological attempts to minimize the risks associated with Internet voting, it is crucial to recognize that it is not sufficient to render the voting system intrinsically trustworthy. The system must in practice be trusted by the Canadian public, and not only by a particular group of government bureaucrats or information technology specialists who work on the project. The paper-based voting at public balloting stations has earned a large measure of trust from Canadians through long use, simplicity and transparency. If Internet voting is to secure mainstream acceptance, there should be transparency in how the system works. Pilot projects that test the system ought to be implemented, with significant effort made by electoral authorities to explain how it works; what security measures are in place; and how malfunction or tampering will be deterred, detected and remedied.
Another crucial point to recognize in designing a legal framework is that attention must be constantly given to how things can go wrong, and to institute a framework for detection, containment and remediation. It appears to be a natural human tendency to think in terms of optimistic scenarios (Kahneman 2011). However, in designing a legal framework, it is the negative scenarios that require our attention.
Threats to an electronic voting system may come from those motivated by political purposes or from technologically sophisticated individuals with no other purpose than to prove that vulnerabilities can or do exist.
E-voting in a Controlled Environment (Supervised Voting)
Mechanics of E-voting in a Controlled Environment
A controlled environment is one managed and supervised by the government. Electoral authorities provide the hardware and access to it. Voting in controlled environments uses electronic methods that are similar to those used when voting at a polling booth.
Elections officials may choose to use a custom or standard stand-alone kiosk (not connected to the Internet) that allows users to cast ballots. E-voting in a controlled environment is perhaps the most common alternative form of voting, since large countries such as India and Brazil, as well as many electoral officials in the United States, have already adopted this. The introduction of voting machines in India replaced some 2.5 million ballot boxes that needed to be secured (Kumar 2011). Voters are still required to physically attend a polling station and properly identify themselves to electoral authorities before being permitted to use a voting machine. Most of these machines are stand-alone kiosks, meaning that they are not connected to the Internet.
Advantages of E-voting in a Controlled Environment
Many Canadians are familiar with the fact that voting in the United States is often conducted via electronic voting machines. In the United States and other jurisdictions, voting machines were chosen because of the general complexity of counting voting results from various elections and referendums that were held simultaneously. Electronic machines were introduced to replace older machines using levers. In some South American countries, such as Brazil and Venezuela, the motivation behind moving to voting machines was primarily due to a lack of trust in local elections officials, and a genuine perception that voting equipment would provide more reliable results that were relatively immune to manipulation by voting authorities (Alvarez et al. 2011).
The advantage of controlled voting over uncontrolled voting is that many of the checks and balances of the current process remain, including ensuring that voting is done privately and that only eligible voters are allowed to cast the vote. Voting machines may either store the electronic votes in their memory, to be manually transferred to a central vote counting system, or may be connected to the Internet to automatically transfer the ballots to a centralized computer where they would then be counted.
Risks of E-voting in a Controlled Environment
As with other technologies for voting, voting machines must be both intrinsically trustworthy and actually trusted by the public. A potential risk is that malicious software may be installed on one or a number of the machines that may alter the results. Hardware malfunctions are also potential. For instance, Ireland had spent 50 million euros on purchasing voting equipment, but eventually scrapped it after issues arose with how the machines handled the country's more complex voting system,Footnote 5 and the decision became over-politicized (Melia and Byrne 2012). Similarly, the Netherlands banned voting machines after a report showed that it was possible to install malicious software on the specific type of system it was using and even to uncover how a voter voted by monitoring electromagnetic signals produced by the analog monitors that were used at the time (Gonggrijp 2006).
One of the major challenges of controlled e-voting is guaranteeing that the software running on each of the machines corresponds exactly to that which has been approved (Lundell 2007). As each machine may record hundreds of votes, all it may take is a small number of machines to have malicious software installed to alter an election. There has been much debate regarding whether the machines should leave a paper trail or some independent means of verifying that all votes were accurately cast and counted. The variety of available equipment on the market has led to the establishment of certification programs to ensure that the machines perform as they are supposed to, including requiring testing for accessibility and conducting physical security procedures designed to ensure the systems have not been compromised.
Controlled electronic voting may not present as many technological challenges as uncontrolled or Internet voting. Every voter uses the same kind of machine in a similar environment. A machine can be designed, inspected and its use supervised by government. However, our case studies show that the value of controlled voting tends to be outweighed in practice by its expense and risks of malfunction or tampering. There are upfront purchase or lease costs and additional costs may be incurred to securely store or move the machines between elections.
There may be advantages in controlled voting where balloting involves the voter registering many choices (such as choosing candidates for multiple offices) or potentially (as was considered in Ireland) for streamlining a time-consuming and complicated voting system. However, in Canada, federal elections continue to be based on the first-past-the-post system. A fairly small number of candidates are listed on a ballot, and the voter selects only one.
Moving to stand-alone e-voting at polling places instead of a paper-based system would likely decrease the transparency and increase the expense of an election without providing any real benefit to the average voter. There may be a limited use for stand-alone e-voting as a supplementary voting method for voters who otherwise could not vote unassisted. One such use was piloted in the by-election in the federal electoral district of Winnipeg North in 2010, to assist visual impaired and disabled voters to fill out ballots, relying on a voting machine instead of a person to assist them (Elections Canada 2011a). In such a situation, the machine could read a ballot to a voter and help them record their choice. The ballot would then be printed and counted alongside the ballots of other voters.
In addition to stand-alone e-voting, there may also be a desire to allow a voter to cast an Internet ballot in a controlled environment. Potential usages could include voters in the military, prisoners or overseas voters casting ballots at embassies or consulates.
The main focus of this study is Internet voting in an uncontrolled environment, and our recommendations will chiefly focus on establishing a framework for Internet voting. However, a few brief observations at the end of this report are presented for adapting these recommendations to e-voting in a controlled environment, specifically focusing on instances where a voter may cast an Internet-based vote in a controlled location.
The Right to Vote
When developing a specific legal framework for Canada, it is useful to look briefly at international legal frameworks to examine if there are any constraints or requirements regarding voting rights that must be taken into consideration. While there are general documents such as the United Nations International Covenant on Civil and Political Rights (ICCPR) that define some of the basic values surrounding free votes, there is no uniform set of criteria that has been released for e-voting in any convention that Canada has signed (US EAC 2011). The ICCPR specifies that citizens have the opportunity to "vote and to be elected at genuine periodic elections which shall be by universal and equal suffrage and shall be held by secret ballot, guaranteeing the free expression of the will of the electors" (International Covenant on Civil and Political Rights, article 25(b)).
It is important also to realize that in Canada, the Constitution of Canada, including the Canadian Charter of Rights and Freedoms, and not international public law, is supreme. The incorporation of international agreements into international law is properly the role of Parliament or the provinces. However, the court may construe the Charter in a manner that is compatible with international agreements to which Canada is a party.
Surveying the international treaties, including documents such as the Organization of American States's Inter-American Democratic Charter (OAS 2001), broad principles emerge, such as holding regular free and fair elections based on a secret ballot and universal principles. Most of the treaties, however, only cover broad principles that are found in our current system and do not specifically address issues with online voting. The only current international standard covering any form of e-voting is the Council of Europe's Recommendation Rec(2004)11 (COE 2005), discussed later, but these recommendations are not binding on Canada.
Canada's Charter has two provisions that are especially relevant to voting. One is the s. 3 requirement that "Every citizen of Canada has the right to vote in an election of members of the House of Commons or of a legislative assembly and to be qualified for membership therein." Also pertinent is the s. 15 equality guarantee, which can be used to ensure equal opportunity.
The right to vote has been described in the courts in Canada as both the right "to effective representation" (Reference re Prov. Electoral Boundaries (Sask.)), 160) and generally including "values embodied in a democratic state" (Haig v. Canada, 1031). McLachlin J, then a member of the Supreme Court of British Columbia, had listed the following included rights (Dixon v. British Columbia (Attorney General))Footnote 6:
- The right not to be denied the franchise on the grounds of race, sex, educational qualification or other unjustifiable criteria;
- The right to be presented with a choice of candidates or parties;
- The right to a secret ballot;
- The right to have one's vote counted;
- The right to have one's vote count for the same as other valid votes cast in a district;
- The right to sufficient information about public policies to permit an informed decision;
- The right to be represented by a candidate with at least a plurality of votes in a district;
- The right to vote in periodic elections; and
- The right to cast one's vote in an electoral system which has not been "gerrymandered" – that is, deliberately engineered so as to favour one political party over another. (Dixon v. British Columbia (Attorney General), 16)
McLachlin J added a tenth precept, that of the right to voting representation by population.
In the course of deciding practical cases, courts have clarified and qualified some of these general formulations of voter rights. For instance, the courts have explained that a voter's right to an informed decision requires voters to be "reasonably informed," and this requires that candidates have a "reasonable opportunity" to communicate their policies to a voter (Figueroa v. Canada, 914).
Thus, Canadians have a constitutional right to vote. Embedded in the right to vote is a set of values. To ensure those values are meaningful, the government may have to ensure the legal framework for conducting elections allows Canadians to take advantage of those values.
Section 3 of the Charter places a positive obligation on the state to uphold the right of participation in the voting system. This positive obligation requires that "[e]very reasonable effort should be made to enfranchise citizens" (Haig v. Canada, 1048) and recognizes that "[c]itizens cannot exercise s. 3 rights on their own, without the state's involvement" (Figueroa v. Canada, 981).
If traditional voting methods are unable to accommodate disabled voters who have a difficult time making it to the polls, remote voters or Canadians who are outside of their voting districts, then investigating or embracing proven technology could be considered a government obligation. Accommodation is important, as "the fairness of the system involves looking at how each citizen fares in relation to others" (Figueroa v. Canada, 981).
In Hoogbruin v. A.G.B.C., the British Columbia Court of Appeal held that s. 3 of the Charter, with its affirmative duty on the part of government to take steps to facilitate voting, required the province of British Columbia to make provisions for voting by otherwise eligible voters who were outside of the province during an election.
In Henry v. Canada (Attorney General), at issue was the legislative requirement that a voter produce a piece of identification, proving identity and place of residence, from a list of approved documents. The plaintiffs contended that this requirement discouraged or prevented voting by individuals from various groups, including Aboriginal voters, Aboriginal voters from rural areas, homeless voters, low-income voters, voters with disabilities, elderly voters and voters without government-issued identification bearing their names and addresses.
Justice Smith, in her ruling in Henry, reviewed the case law on s. 3, and concluded that it places a strong facilitative role on governments to provide opportunities to vote to all citizens and to avoid placing extra burdens on particular groups of voters:
Section 3 rights are "participatory in nature" (Figueroa at para. 26) and the Charter creates a positive obligation on the state to put in place appropriate arrangements for the effective exercise of the right to vote... (Henry v. Canada (Attorney General) paragraph 140)
In creating the election apparatus, Elections Canada must ensure that the process of voting is as easy and straightforward as possible for all voters. The Charter value of equality (set out in s. 15 of the Charter and recognized in a number of cases: ....) comes into play in ensuring that s. 3 of the Charter is understood and interpreted in a way that maintains the Charter's underlying values and internal coherence. No group or category of voters should be disproportionately burdened by the requirements imposed for voting, even if the requirements are, on their face, neutral. The government would not be meeting its obligations to conduct fair elections if it failed to take steps to ensure equal access to polling stations and to accommodate Canadian citizens, in all of their diversity, in becoming registered electors and exercising their right to vote. (paragraph 143)
Essentially, Justice Smith's analysis seems to suggest that the affirmative duty under s. 3 of the Charter to facilitate voting should be construed in an egalitarian manner; that it extends to concerns to ensure that no group of voters is adversely affected; and that it is not confined to s. 15 protected groups, but can extend to other bases of inequality. For instance, while the Constitution of Canada generally does not require the government to provide the poor or homeless with economic services, the right to vote would require additional steps to ensure these people can exercise their right to vote.
While the goal should be to make it easy for every eligible Canadian to vote, the Constitution of Canada only requires the government to take steps that can be reasonably justified. Justice Smith concluded that the voter identification card requirements in the Canada Elections Act prima facie breached the Charter, but were "saved" by the "reasonable limits" clause in s. 1 (Henry v. Canada (Attorney General), paragraph 145). The right to vote under the Charter can be justified if a restriction on voting is a proportionate means of achieving an important public interest such as ensuring that unauthorized voters do not affect the results of an election.
Parliament and Elections Canada have a duty to take reasonable measures to accommodate and facilitate voting, which may include the use of Internet voting. While it is unlikely that a court would prescribe a certain way to vote, the government is still under a duty to consider whether the current alternatives, such as postal or assisted voting, best accommodate the diverse voting needs of the electorate. For instance, blind and otherwise disabled voters may have a difficult time casting a vote in secret without some sort of assistive technology. Section 3 of the Charter also intertwines with requirements of the Canadian Human Rights Act. Ensuring accessibility may also be considered an inherent s. 3 requirement, as "voting is one of the most sacred rights of citizenship and that includes the right to do so in an accessible context" (Hughes, James Peter v. Election [sic] Canada, paragraph 62).
On the other hand, even if Internet voting is the best way to facilitate voting, the government may be justified in avoiding it based on concerns about cost or the integrity of the vote.
In considering Internet voting as a means of addressing the constitutional duty to facilitate access to voting, Parliament must also consider – under s. 3 as well as under s. 15 – whether doing so has the practical effect of disadvantaging certain groups of voters. There are potential tensions between the goal of generally increasing accessibility to voting and maintaining equality. Internet voting might facilitate greater participation in elections in general, but in doing so disproportionately favour those who are fairly prosperous, young and technologically adept, and those living in well-wired urban communities. It might increase the voting rate among such persons disproportionately in comparison with groups that include the poor, elderly and uneducated, and those residing in remote areas, including some Aboriginal communities.
The issue of discrimination associated with the "digital divide" and Internet voting was actually raised and tested in the United States in Arizona (Voting Integrity Project v. Fleisher). There, a civil rights argument was made against electronic voting in that it would be more advantageous to white voters to have an online vote and thus would dilute the voting capacity of Latinos and other racial minorities, who in 2000 had a fairly low computer usage rate. The court, however, found that since alternatives to online voting existed, such as traditional mail-in ballots, there was no violation.
An evaluation of whether Internet voting disadvantages any group would have to take into account the extent to which the existing system tends to disadvantage certain groups. Design and evaluation of Internet voting would also have to consider the extent to which the government has made a reasonable effort to address inequalities, even if it is not fully successful in doing so. Among the measures that can be considered are permitting Internet voting via tablet computers or cell phones, rather than only desktop computers; facilitating access to Internet voting at free and publicly accessible computers, such as those that might be found in public libraries; subsidizing improvements in Internet connectivity for remote areas, including First Nations reserves that currently lack it; and carrying out programs to inform and educate the general public about Internet voting, supplying user-friendly instructions and maintaining phone help lines to walk individuals through the process.
It should be noted that it would likely not be constitutionally problematic for Canada to confine Internet voting to members of groups that currently tend to be disadvantaged, such as persons with physical or mental disabilities that make on-site polling difficult or persons who live in areas remote from polling stations. Section 15(2) of the Charter has been construed by the Supreme Court of Canada as precluding s. 15 challenges to programs that have an affirmative action character. While there is no express counterpart to s. 15(2) in s. 3 of the Charter, a court would likely be sympathetic to a "reasonable limit" argument that the Government of Canada, when setting up Internet systems, is justified in focusing its attention and resources on persons who are currently disadvantaged.
One of the areas not fleshed out in Canadian jurisprudence regarding the right to vote is whether there is an inherent right to a transparent electoral process. Is there an implied duty of transparency with respect to the conduct of elections under s. 3 of the Charter? Must there be adequate opportunities for the public to scrutinize whether the voting process is properly registering and counting voter selections? This was not identified directly in the Dixon decision, although the corollary to the "right to have one's vote be counted" would logically imply a right to know that one's vote is counted.
A German Federal Constitutional Court case (BVerfG, 2 BvC 3/07) addressed this very issue. The court effectively banned kiosk-style voting machines because they violated the "public nature" of elections by not providing the sufficient transparency:
The public nature of elections is a fundamental precondition for democratic political will-formation. It ensures the correctness and verifiability of the election events, and hence creates a major precondition for the well-founded trust of the citizen in the correct operation of the elections. (BVerfG, 2 BvC 3/07, paragraph 107)
The German court found that a reliable correctness check would be needed, and that it was up to the legislature to ensure it existed. The voting machines in question were not examinable by the public and voting officials, and questions arose whether the results were beyond manipulation. Perhaps pertinent to Canada, the German court found that the fully public nature of elections could be tempered by other values such as achieving as comprehensive participation in the elections as possible (BVerfG, 2 BvC 3/07, paragraph 128).
The requirement of transparency, at least to some extent, is likely to be a value that the courts could find inherent in s. 3 of the Charter.
Functional Equivalence to Current Voting Legislation
Courts have developed the constitutional jurisprudence by examining the contents of actual election statutes and determining what general principles underlie the details. One can look at rules and procedures to determine their functions (or objectives) in order to determine how the rules can be applied in an equivalent way under a different context. This is known as functional equivalence.
As an illustration of functional equivalence, before being allowed to vote at a polling station, a voter is required to show identification (to ensure only eligible voters can vote) and is given a blank ballot to put in a sealed ballot box (to ensure anonymity). An absentee voter must apply to the electoral authority and then will be mailed a blank ballot, an envelope for that ballot and an outer envelope that he or she is required to sign. The purpose of the outer ballot is to allow the electoral authority to verify that the voter is an eligible voter, while ensuring the person opening the envelope cannot see the actual ballot (to ensure anonymity). These are different procedures aimed at equivalent functions: secrecy and ensuring only eligible voters vote.
The functional equivalence principle requires that legislators identify the purposes served by traditional means of voting, and then establish a legal framework to ensure that e-voting rules also accomplish those purposes.
The challenges in drafting legislation for Internet voting are similar to other adaptations of traditional law to allow technology. For example, the United Nations Commission on International Trade Law (UNCITRAL), in drafting model legislation for e-commerce and digital signatures, used four pillars to shape its framework: non-discrimination, functional equivalence, media and technology neutrality, and party autonomyFootnote 7 (Castellani 2010).
These principles apply to Internet voting, in that the legislation should not limit technological choices unduly or be designed so that only a certain vendor or technology may be used in cases where a better technology or solution may exist (which is the principle of non-discrimination). Functional equivalence requires that regulations affecting technology should allow it to be as good as or better than the current system, while ensuring that proposed laws reflect the purposes and functions of the traditional law (United Nations 1999). Thus, how can the purposes and functions of a normal law be made compatible with technology?
Functional equivalence is common in Canadian law relating to technology. Ontario's Electronic Commerce Act, 2000, lists a series of functional equivalence rules that recognizes when an electronic document can be used instead of a paper one, including the criteria for assessing reliability in light of all the circumstances and whether the information remained complete and unaltered (s. 8). It also mandates which rules do not apply and which ones can be substituted. Quebec's An Act to Establish a Legal Framework for Information Technology also requires the application of functional equivalency. Under this Act, technology can be used if a document meets all the legal requirements and fulfills the functions of the original system. Special attention is provided to measures ensuring integrity.
- Integrity is ensured if it is possible to verify that information has not been altered (s. 6).
- Integrity is preserved throughout the technology's lifetime, from creation to destruction (s. 6).
- In assessing integrity, particular account must be made to security measures (s. 6).
- Where information contained is confidential, confidentiality must be protected by means appropriate to the mode of transmission (s. 34).
Additionally, Quebec's Act allows additional regulations to be created by the government based on "technical norms or standards approved by a recognized body" (s. 8) and anticipates the creation of a "multidisciplinary committee" of members with information technology experience to make appropriate guidelines regarding technical standards, encryption methods and more (ss. 63, 64 and 65).
Applying these standards to the task at hand, the issue is how to ensure that the current electoral values or expectations are kept intact, while identifying specific legislative changes to be made to ensure electronic voting is as good as or better than current similar procedures. To do so, one can look at how voters vote, how their identity is checked, how various parties oversee the election results and how recounts or election challenges could occur.
There are actually four possible approaches to functional equivalence, involving various comparators.
- Is an electronic system superior to, or as good as in all respects, in-person voting at a voting station? (This is referred to as the gold standard or "Pareto superiority.") That is, no single aspect (such as secrecy) is lessened, and at least some aspects (such as accessibility) are improved.
- Does an electronic system, on balance, serve the core values of voting in person at a voting station? That is, the guarantee of secrecy may be lessened while another value, such as accessibility, may be improved.
- Is an electronic system superior to, or as good as in all respects, special or mail-in voting?
- Does an electronic system, on balance, serve the core values of special or mail-in voting?
Many of the principles of voting are related to the risks. For many commentators, the risks associated with online voting are analogous to postal voting used for special ballots (Alvarez and Hall 2008). Postal voting has increased risks, such as security of the ballot and uncertainty whether a ballot may ever reach its destination. Secrecy is also entirely dependent on proper procedures being followed in any remote system in separating the identity of a voter from their vote (usually by using an inner envelope with a ballot and an outer envelope with the voter's signature). An Australian court found that the provisions of mail-in balloting violated the secrecy of the vote, but the practice was allowed as an alternative means to facilitate the right to vote for those who would otherwise be unable to discharge their obligation to vote (Yarran v. Blurton). Likewise, there is no opportunity to verify who is actually filling out a ballot or whether a voter is being observed in casting their ballot.
Even in-person voting has risks, as evident by the extensive lists of potential voting offences that exist to mitigate abuses. Recounts often show large inconsistencies in ballots due to human error, voter impersonation can occur and a high level of discretion is often used in disqualifying ballots that appear to have any irregular marking. As Justices Moldaver and Rothstein recently stated, "[g]iven the complexity of administering a federal election, the tens of thousands of election workers involved, many of whom have no on-the-job experience, and the short time frame for hiring and training them, it is inevitable that administrative mistakes will be made" (Opitz v. Wrzesnewskyj, paragraph 2). In stating so, the justices set aside strict compliance with the Canada Elections Act in favour of finality and legitimacy of the results.
Instead of perfection, decision makers should look toward the threshold of risk or error that can be accepted. The question is, "given that no system can be 100% secure, what level of risk can be accepted for such a fundamental democratic process as voting?" (US EAC 2011, 7).
The Canada Elections Act clearly defines criminal acts, such as manufacturing a ballot box with a fake compartment or printing additional ballots, and uses a combination of penal deterrence, voting procedures and the appointment of scrutineers by political parties to minimize the potential for fraud or manipulations.
From reviewing the literature, it is clear that no electoral mechanism (electronic or paper) can ever be absolutely secure from every possible error or risk. The greater question is: Can the regulatory framework and associated legislation (regarding electoral offences and election oversight) provide voters as well as political stakeholders sufficient confidence that risk is minimized and that contingencies are in place to cover the range of foreseeable circumstances?
Case Studies on E-voting
Canada is not the first jurisdiction to examine Internet voting, and other places have developed their own legal framework for e-voting in an uncontrolled environment. This paper primarily analyzes legal frameworks from four jurisdictions – Estonia, New South Wales in Australia, Switzerland and Norway – but also looks at France's parliamentary elections for voters abroad and municipal tests in Ontario and Nova Scotia.
Our general observation from the four primary jurisdictions is that a high level of planning and testing were involved in advance of conducting an e-vote. While the legal frameworks in some cases were overly informal or ad hoc, the electoral authorities often adopted policies and procedures that ought to be mandatory.
The most widespread use of e-voting has been in Estonia. In the 2011 parliamentary elections, more than 140,000 Estonians voted over the Internet, amounting to nearly a quarter of all votes (Estonian National Electoral Committee, n.d.). Estonia has allowed its voters to cast a ballot over the Internet in local elections since 2005 and national elections since 2007 as part of the government's e-government strategy (Barrat i Esteve et al. 2012b). E-voting is generally seen as secure, because voters utilize a national digital ID card that has also been used for services such as tax filing, insurance and public transportation (OSCE 2007). Additionally, Estonia has taken steps to counter concerns about third parties putting illegal pressure on people casting a vote over the Internet, by allowing them to revote.
While e-voting has been used in five major elections in Estonia, there has been some criticism that the legal framework was underdeveloped. For instance, the conditions for invalidating voting results was not formalized in legislation and there was no independent body responsible for certifying the software. In addition, the National Electoral Committee did not have its own technical expertise (OSCE 2011). Estonia's legal framework has improved since the last election, as its Parliament approved legislative amendments in the fall of 2012 that among other things established a specialized electronic voting committee and specified the authority to stop or cancel e-voting.
New South Wales
The Australian state of New South Wales, home to Sydney and with a population almost as large as Quebec, recently introduced Internet voting. Voters who were visually impaired, disabled, would be out of state at general polling day or lived more than 20 kilometres from a polling station could register to vote over the Internet. Over 46,000 voters cast their ballots in the May 2011 general election (Brightwell 2011).
Of all the jurisdictions using Internet voting, New South Wales resembles Canada closest because it uses single member districts (for at least some seats), has an independent electoral authority, and has a format for its electoral legislation that is similar to that used in Canada. However, New South Wales differs slightly in that it uses a more complex instant runoff voting system involving preferential ballots. In order to bring in e-voting, New South Wales amended its voting legislation to add a section on e-voting, including the conditions under which it could be used and specific offences. The legislation listed major e-voting requirements and gave the state's electoral authority extensive regulatory power to create specific voting procedures (New South Wales Electoral Commission 2011).
Switzerland is a federal state in which 26 separate cantons each administer their own elections, and voters have the right to vote on initiatives and referendums in addition to electing their representatives in the National Council. Four cantons have adopted Internet voting, a number that is constrained by Swiss laws that limit the number of voters who can use e-voting in a general election. The most relevant of these is the canton of Geneva, with a population of 460,000, that has held nearly 20 elections or referendums in which some or all voters have been able to vote online since 2003. Switzerland requires co-operation between the federal and cantonal government to administer elections (République et Canton de Genève 2009).
Acceptance of Internet voting is also seen as higher because postal voting had already been quite common and it is treated as an alternative to remote voting (OSCE 2012a). While major e-voting requirements are listed in Switzerland's enabling legislation, it lacks a set of detailed criteria that can be used to certify a system's adherence to these requirements. The Organization for Security and Co-operation in Europe (OSCE) recommended that clear, written and testable standards on certification be developed and regularly reviewed and updated. It recommended that the legal framework include requirements for security, transparency, reliability, ease of use and secrecy of the vote (OSCE 2012a).
Norway, with a population slightly larger than that of British Columbia, has taken a highly methodical and cautious approach to introducing e-voting in the country. In 2011 municipal elections, over 27,500 voters in 10 municipalities cast a vote online in a pilot project that was unique because the government focused on making the e-voting system highly transparent. While implemented for local elections, the system was designed for an eventual national election. The Ministry of Local Government and Regional Development oversaw the development of sophisticated e-voting software, and various departments of the national government hosted various parts of the system to prevent collusion (Norwegian Ministry of Local Government and Regional Development 2011).
Norway aimed at ensuring public acceptance for e-voting, with source code published online, confirmation of votes through cell phones, web casts of de-encryption and explicit adherence to the Council of Europe recommendations (Norwegian Ministry of Local Government and Regional Development 2006). However, because e-voting was seen as a pilot project, the legal framework is very ad hoc. In particular, the regulation lacked detailed provisions related to set-up, operation, security, testing and data disposal procedures for the system and the regulations "did not define the concrete grounds for invalidating an electronic vote" (OSCE 2012b, 4). Voters expressed a high level of trust in Internet voting, only slightly below that of paper ballots (Barrat i Esteve et al. 2012a).
France recently used Internet-based voting to elect 11 deputy ministers to represent citizens living abroad. As a result, this became one of the largest e-voting uses to date, with over 126,000 votes being cast online (OSCE 2012c). The office of electronic voting was created to oversee the election, and was composed of elected officials and representatives of various government offices.
While France's election appeared to be very successful, the process was not fully transparent. The tender documents were not available and there was no indication that the public was consulted during the process. Nor were the audit reports, security assessments and other documents ever released to the public (OSCE 2012c).
Not every implementation of e-voting have been successful. In some cases, e-voting was cancelled before an election or has since been discontinued. Examples of uncontrolled e-voting that critics of e-voting often point to are Washington, DC; England; and the Netherlands. Similarly, e-voting in controlled environments has experienced setbacks in Ireland, Finland and Quebec. Based on our research, the lack of a comprehensive legal framework was almost entirely responsible for problems that occurred in most of these areas. For instance, most of these jurisdictions did not conduct independent testing of the systems before they were made available to the public, which could have been part of a comprehensive legal framework.
A good example of inadequate testing is Washington, DC, where an e-voting experiment was cancelled before it was even used. In that case, a university computer science department managed to cause great embarrassment when it was able to hack a test system because simple security measures were not in place (Wolchuk et al. 2012). The problems likely would not have occurred had there been independent testing before the system was allowed to go public, proper backup procedures and divided voting tasks so that no one person could gain access to the entire system.
England successfully tested Internet voting in five municipalities in 2007 and experienced no apparent problems. However, the tests were criticized because the local electoral authorities lacked internal expertise and election observers had no ability to test the systems (Open Rights Group 2007). The United Kingdom's Electoral Commission recommended that a modern legal framework be put in place before e-voting was used in the future. This would include requiring adequate testing and more transparent procedures (Electoral Commission 2007a & b).
Most other discontinued implementations of e-voting followed a similar theme, experiencing problems that a more comprehensive legal framework and extensive independent testing could have avoided. The Netherlands used Internet voting for voters from the water board districts in 2004 and out-of-country electors in a 2006 parliamentary election (OSCE 2006). However, in 2008, legislation covering both controlled and uncontrolled e-voting was repealed after a high amount of public criticism (Barrat i Esteve et al. 2012b). Most of the criticism was not directly aimed at Internet voting, but occurred after an independent report showed that controlled e-voting machines could be physically manipulated due to weak security and that there were no procedures in place to independently verify the reliability of the machines (Gonggrijp et al. 2006).
Criticism from attempts to use controlled voting in Ireland, Finland and Quebec is also generally aimed at deficiencies in the legal framework. Ireland spent millions of euros purchasing e-voting kiosks, only to have them sit in warehouses after it was found that the software installed on them contained numerous bugs. Concern was also raised about whether the kiosks were secure and auditable (Paris 2004). A report found that the software was flawed and there were insufficient procedures in place to ensure that the voting system using voting machines was transparent and the results were verifiable (Commission on Electronic Voting 2007).
Finland's Supreme Administrative Court ordered three municipalities to redo their 2008 local elections after usability problems with their e-voting systems resulted in some voters leaving the voting terminals before their votes were submitted (KHO:2009:39). The court found that voting instructions mailed to voters were not accurate. One of the problems mentioned by some critics was that the testing of the system and the integrity of the results relied far too heavily on a few information technology professionals on staff (Electronic Frontier Finland 2009). An independent audit found the machines generally secure, but possibly susceptible to insider manipulation (Karhumäki and Meskanen 2008).
Quebec experimented from 1995 to 2005 with controlled e-voting machines, but this was discontinued on the recommendation of the Chief Electoral Officer in 2006. His main concern was there was an imprecise legislative and administrative framework that did not adequately assign roles and responsibilities or address the risks inherent in electronic voting. He also recommended adopting rigorous technical specifications and security standards, and establishing an independent authority to monitor and audit the process (Elections Quebec 2006).
E-voting has also been used in Canada in Markham, Ontario, and Halifax, Nova Scotia. Both of these municipalities appeared to have been successful in using e-voting, although neither appeared to face any major threats. A study following the 2006 election in Markham suggests that this was because an election in a suburban municipality in Canada is likely to "fly under the radar" of many would-be hackers (E-Mergent Management Research 2010). A high level of Internet access aided the adoption (Delvinia Interactive Inc. 2004). In both cases, the legal framework was very limited.
Major Reports on E-voting
While creating a legal framework for any new technology can be challenging, experiments, considerations and reports regarding electronic voting have gone on for almost a decade.
The most extensive considerations, in our opinion, is the progress made by the Council of Europe. Established in 1949, the council is a non-binding organization composed of government representatives from across Europe whose stated goal is to "create a common democratic and legal area throughout the whole of the continent." Distinct from the European Union, the council relies on voluntary conventions among its members to create common laws and frameworks and establish best practices. The Council of Europe has taken a leadership role in Internet voting, having worked with its member states to create extensive guidelines for legal, technical and operational requirements for e-voting implementations (COE 2005).
The United States has also attempted to create lists of best practices and sample frameworks for electronic voting that can be used by states and local election authorities. An example of this is the Help America Vote Act of 2002, which was set up to create guidelines following some of the controversies over inconsistent and outdated voting technology that arose during the 2000 presidential election. Of note, in the United States, the election technology, procedures and specific regulations are organized on a state-by-state level, so while centralized guidelines can exist, individual states can choose to introduce their own legislation.
In addition to the Council of Europe, many of the aspects of a legal framework can also be derived from the observation of international non-governmental organizations that oversee international election results. Included on this list is the Organization for Security and Co-operation in Europe, which has had observers in place for recent elections in Estonia, Switzerland and Norway, and provided feedback on their elections. The International Foundation for Electoral Systems and The Carter Center also released valuable reports. More thorough descriptions of these reports are in Appendix A, International Standards and Reports.
Consolidated Checklist of Values for an E-voting Legal Framework
Our review of the constitutional jurisprudence and legislation in Canada, other literature and the legal framework of other jurisdictions has led us to a list of values and attributes that we believe the ideal legal framework for e-voting should address. The values are also meant to be reasonably technologically neutral and applicable to a paper-based system as well as both a controlled and uncontrolled e-voting system.
The following normative values should be adopted by the legal framework for electronic voting:
- Facilitated accessibility and reasonable accommodation. Government should be proactive in taking steps to make voting as convenient as possible, including embracing viable alternatives such as Internet voting, unless overriding reasons prevail. Voters who face challenges should be fairly treated and resources should exist to ensure those with physical disabilities and visual impairments, as well as lower income, remote and elderly voters, can also take advantage of technology.
- Voter anonymity. There should be protections at all stages of the voting process to maintain the secrecy of a voter's ballot and protect voters against undue influence affecting their right to vote freely.
- Fairness. All voters should be afforded similar opportunities to participate in the electoral process, including voting relatively close to election day, having access to a simple ballot, having only a single vote counted and being able to express their electoral choice or non-choice in a meaningful way.
- Accurate and prompt results. Every voter who chooses to use an alternative means should have their vote cast and recorded as intended and only eligible voters should be included in the results. Processes should be in place to audit the system to ensure that this is the case, as well as to provide voters with reasonable confidence that their ballot was properly recorded. At the same time, Canadians' expectation of a timely election should be maintained.
- Comprehensible and transparent processes. It is not enough that a system be intrinsically trustworthy. The public and stakeholders should be reasonably informed of all aspects of the voting system, including important safeguards, protection and even accessing and using the system.
- System security and risk assessment. Safeguards must exist at all stages to discourage, prevent and monitor dangers, including external threats, internal collusion, systematic breakdowns and disruptions.
- Detection of problems and remedial contingencies. Electoral officials must have clear procedures to recognize and react to problems with a voting procedure while voting is taking place to ensure the voters are not disenfranchised. Equally, there must be legal procedures for officials to identify and rectify errors or issues in a voting system that may have affected the results.
- Legislative certainty and finality. The current offences, division of roles, voting periods, recount measures and other provisions currently in legislation must be reviewed to ensure they are applicable to any changes in voting processes and continue to guarantee a prompt and final outcome to the electoral process.
- Effective and independent oversight. At all stages of an election, from pre-approval, implementation, voting, through approval of the results, there must be effective oversight by individuals and entities who have the experience, capabilities (including technical skill) and public confidence to ensure laws and procedures are complied with. Testing of systems, auditing of results and effective reporting back to Parliament are all needed.
- Cost justification and efficiency. Finances and resource allocation are always a consideration in securing a voting system and accommodating the needs of a diverse electorate. The costs should not be grossly disproportionate to the real benefits in accommodating voters and promoting public confidence in the process.
While these values are all important, not all can be absolute. Any voting process may have competing values, and choices may have to be made. Secrecy and accuracy may be difficult to reconcile if there is any discrepancy between votes and results. There must be ways to separate the voter from the vote: to know that one's vote was counted, but to keep that choice secret. Convenience has been limited with strong identification rules to prevent fraud. Cost concerns may limit to what extent disadvantaged groups are accommodated. It is up to legislators as well as electoral authorities, in consultation with experts and the public, to give as much substance to these values as possible in any legal framework. As Justices Rothstein and Moldaver recently pointed out about the Canada Elections Act:
The balance struck by the Act reflects the fact that our electoral system must balance several interrelated and sometimes conflicting values. Those values include certainty, accuracy, fairness, accessibility, voter anonymity, promptness, finality, legitimacy, efficiency and cost. But the central value is the Charter-protected right to vote. (Opitz v. Wrzesnewskyj, paragraph 44)
Return to source of Footnote 2 Voting by telephone is another example of voting in an uncontrolled environment and was used in New South Wales alongside Internet voting in the last state election.
Return to source of Footnote 3 Estonia's national identity card is used for a wide range of government services, including social assistance and transit.
Return to source of Footnote 4 There has not been a significant uptake in voting where Internet voting has been introduced; however, long-term voting statistics are not yet available, and only Estonia has used Internet voting in an unrestricted general election.
Return to source of Footnote 5 Ireland uses a preferential system called the single transferable vote, where voters vote for multiple candidates and rank them by preference. This voting system required the voting machines to randomize how ballots were counted.
Return to source of Footnote 6 These rights were originally described by Boyer 1981.
Return to source of Footnote 7 Our recommendations encompass three of these four pillars. Non-discrimination is the concept that electronic and non-electronic documents be given the same legal weight. The exception, party autonomy, is the principle in e-commerce that parties can choose the governing law, which is inapplicable in an electoral context.