The vulnerabilities of online voting

Aasiya Riaz
Friday, Aug 05, 2022

The writer is an analyst working in the field of politics, democratic governance, legislative development and rule of law.

The UK’s Conservative Party is going through its internal electoral process of choosing Prime Minister Boris Johnson’s successor. The final contest is between two Conservative MPs: MP for southwest Norfolk, Secretary of State for Foreign, Commonwealth and Development Affairs and Minister for Women and Equalities Ms Liz Truss, 47, and MP from Richmond and former chancellor of the exchequer Mr Rishi Sunak.

The members of the Conservative Party from across the UK will vote to choose the next party leader in the final round. Each member of the party who joined the party on or before June 3 is eligible to vote. While the exact membership numbers are not announced by the Conservative Party, an estimated 160,000 members of the party were eligible to vote in the latest party leadership contest, and the party claims that the membership numbers have grown further since. Voting in the final round of elections is to close on September 2 and the final results, declaring the winner of party leader, and consequently the next prime minister, are due to be made public on September 5.

The Conservative Party had announced that eligible members of the party could choose to vote both by postal ballot and online. However, if they vote twice, by postal ballot and then online, only their last vote received will be counted in deciding the leadership contest.

However, recently the party has announced that due to security concerns relating to online voting, it has had to change the voting process. This has come about after the party received advice from the UK’s National Intelligence, Security and Cyber Agency which has warned that hackers could change party members’ online votes. The national cyber security agency has shared that the online voting system may create a vulnerability which a foreign state or hackers could try to exploit. The online voting system proposed by the party, therefore, exposed the party, and the country, to the risk that the decision about who becomes UK’s next prime minister might be tainted due to the weaknesses of online voting.

In its statement, the agency has said that it has provided advice to the Conservative Party on security considerations for online leadership voting based on the principle that it is the agency’s job to ‘defend [the] UK’s democratic and electoral processes.’ The party has now announced to its members that after their postal vote is received, members’ online codes will be deactivated to reduce the risk of any online voting manipulation and fraud in the leadership election.

Despite tremendous advancements in technology, internet voting has not become the leading global norm to decide the outcome of politically-binding national and sub-national elections. A Pew Research Center 2020 report shares that paper ballots remain the most common form of voting in 209 out of 227 countries. Due to the vulnerabilities inherent in the system of internet voting, only a few countries have experimented with internet voting with Estonia being the only country which has used online voting nationwide in local, national and European Parliament elections. Even though Estonia began to use internet voting in 2005, reports as late as 2017 suggest that the country has had to take several measures to fend off potential hacking attacks due to fears relating to cyber security.

Stockholm-based International Institute for Democracy and Electoral Assistance (IIDEA) surveyed that in 2020, only eight countries used online voting in some elections while some others have carried out limited pilots for specific populations but decided not to continue internet voting.

Pakistan has also experimented with internet voting or I-voting as a pilot exercise to facilitate voting by overseas Pakistanis from their place of residence. The Elections Act, 2017 mandated the ECP to conduct pilot projects in this regard to ascertain the technical efficacy, secrecy, security and financial feasibility of such voting. An iVote system was developed by NADRA. In April 2018, the Supreme Court directed the ECP to form an Internet Voting Task Force (IVTF) to conduct a technical audit of the iVote system. The IVTF found the system to be insecure and prone to hacking and manipulation and recommended that deploying internet voting for overseas Pakistanis in General Election 2018 would be a hasty step with grave consequences.

NADRA implemented certain technical points recommended by the IVTF and the system was deployed as a pilot by the ECP at the cost of Rs95 million in the by-election held in October 2018 across 35 constituencies including National and provincial assembly seats. In its report after the pilot, the ECP highlighted that the iVote system violates ballot secrecy, enables voter coercion, lacks auditability, and is vulnerable to cyber-attacks.

Not satisfied with the ECP report, the PTI government hired Minsait Indra, a Spanish consultancy firm, to carry out an audit of the iVote in May 2021 with considerable cost to the exchequer. The audit report corroborated the ECP report that the iVote system does not fulfill the constitutional requirements of vote secrecy, and if employed, neither the voters nor the ECP would have any guarantee that the results obtained from the system represent the choices made by the voter. It also found various internal and external technical vulnerabilities in the system and made multiple recommendations requiring technical and financial resources spread over time.

Despite serious technical flaws pointed out in the internet voting system by these audit reports, the PTI has continued to propose and demand to facilitate internet voting for overseas Pakistan in the next general election. After its ouster from government, the party has approached the Supreme Court to direct the ECP to grant necessary approvals and funds to NADRA for developing a new I-Voting System for use of overseas Pakistanis in the next general election. The party’s petition has challenged the amendment passed by parliament in the Elections (Amendment) Act, 2022 section 94 regarding facilitation of the right to vote of overseas Pakistanis from their countries of residence which was reverted almost to the language of the Elections Act, 2017 authorising the ECP to conduct out further pilot projects to facilitate voting by overseas Pakistanis.

There is no disagreement on facilitating the right to vote by overseas Pakistanis from their places of residence. At the moment, they can only vote physically by travelling to Pakistan. However, it is the constitutional and legal responsibility of the ECP to ensure that vote facilitation does not subvert the credibility and fairness of elections. The ECP must actively look into the postal ballot option used by many countries to facilitate voting by non-resident citizens. Where cyber security considerations are not allowing online voting in the internal electoral process of political parties, how can these be ignored in the national and provincial electoral processes?

Pakistan’s electoral process has continually suffered from lack of political and public credibility. The issue of extra-constitutional meddling and influencing of the electoral process in Pakistan cannot be mitigated by the introduction of technology. Pakistan’s social and political context requires very different remedies that begin by state institutions working strictly within their constitutional remit. Short of that, introduction of technology would only expose our electoral system further to its existing vulnerabilities.