(With thanks to Peter Cruickshank for raising the public money issue, and for suggestions on reading)
On Tuesday 19 June, I was at two events. The first was a meeting of the Scottish Government’s Online Identity Assurance stakeholder group. The second was a seminar on Vote.Scot: Shaping the future of online voting in Scotland. They provided a very interesting set of information and questions.
1 Online identity assurance (OIA) stakeholder group
(This section is based on week-old memories, rather than detailed notes.)
The session started with presentations from:
- Roger Halliday (SG chief statistician and senior responsible officer for the programme): introduction to the event
- Jess Pascoe (SG official working on stakeholder engagement) on the group’s previous meeting, e.g. how the group should work together, the group’s remit and composition
- Susie Braham (SG OIA strategic lead) on the discovery phase’s findings
- Mike Crockart (SG OIA technical lead) on technical options.
These presentations are all on Youtube, so I don’t précis them here. However, here’s a picture of the proposed architecture Mike showed.
As I understand it, identity providers (IDPs) would store enough data about users to enable them to prove that they are who they say they are (‘authenticate’). When a user wishes to access a service from a relying party (RP), he or she goes to the RP’s system, which then uses IDPs to authenticate the user. So users should not be confused by directly seeing the IDP systems. I presume that service-related user data (as opposed to the data needed to authenticate users), such as social security, medical and local authority records, will be stored on RPs’ systems. The stakeholder group was not asked to examine this model in depth, although there was discussion of who should be doing what.
The stakeholders were asked to comment on five questions:
- What did the discovery do well?
- What did the discovery do less well?
- What should we do more of in alpha?
- What should we do less of in alpha?
- What feedback should we give to the minister tomorrow?
As I recall, the answers to the first two questions were basically that discovery had tried to reach representatives of real users, but maybe didn’t get as ‘real’ or as open as it might have done. There were many suggestions for additions to alpha, almost no suggestions for reducing alpha, and a few comments about what to tell the minister. My contributions included suggesting doing lots of user-testing in alpha, and that the minister should go slowly and carefully.
My contributions to the other parts of the event were to ask whether the OLA team was overlapping with the SG’s conversations about e-voting, and to insist that despite the concentration on digital, those who cannot use digital should be catered for. I was told that the team was aware of the work of led by Liz Ure of the SG elections team, and that non-digital would be in the process. Nevertheless, I still have some qualms:
- The team took pains to say they were working in the spirit of Open Government. I’m not convinced of this, partly because documentation on the technical parts of discovery were not published until part-way through the event. (They are online at https://beta.gov.scot/publications/online-identity-assurance-programme-board-papers-23-may-2018.) I can’t shake the feeling that the OLA team were acting as the clever, hardworking adults. I have no doubt that the team is clever and is working hard on this constantly (while the stakeholder group only see snapshots), but there was a wealth of experience, knowledge and brain-cells in the room, possibly not being used to the best advantage because it had not been informed in a timely manner.
- Another organisation represented on the stakeholder group is already working on an identity system that may be used by local government. So why the duplication of effort?
- While this OLA programme (and the other organisation’s project) appears to be about delivery of local and national government services, isn’t representative democracy one of the most important services governments provide? Representative democracy revolves around voter identity and eligibility, so I’m uneasy that work on e-voting appears to be at least partially separate. (There were some people in the room who I recognised from the previous week’s workshop about e-voting and participatory budgeting.)
- Identity is hard. See, for example, some fundamental issues raised by (Alpár, Hoepman, & Siljee, 2011) in the appendix below. Another issue these researchers point out is that RPs and IDPs should authenticate themselves to users, as well as vice-versa. That is, users should be sure that these organisations should prove they are who they say they are each time before they can process users’ data. (As an analogy, has your bank ever phoned you? If so, how has it proved it is your bank, and not a fraudster?) It’s also not sensible for IDPs to extend their circles of trust (the numbers of RPs for which they provide authentication) without users’ knowledge and consent.
- Finally, as I understand it, it is likely that most IDPs will be private companies, rather than government agencies. I understand that such companies have years of experience but they are generally for-profit. So instead of public money being used to develop public capabilities, it will go to private interests. (It’s somewhat reminiscent of PFI, which enabled the government to afford buildings without increasing borrowing, but ended up with those buildings being owned by private companies instead of the public.) It’s good that SG plans for several IDPs, thus avoiding a monopoly and a single point of failure, but could these not be the councils and government agencies that are also RPs? This would help keep public money, and knowledge of how to do things, in public hands.
This event was chaired by Ruth Maguire MSP (Scottish National Party). The speakers were Areeq Chowdhury (Chief Executive of WebRoots Democracy), Liz Ure (SG Elections Team), Simon Hearn (Deputy Chief Executive, Electoral Reform Services), Mike Summers (Program Manager for Online Voting at Smartmatic) and John Abbott (Director at Yoti). I took fairly detailed notes at this event, but I arrived slightly late, and so missed most of Areeq Choudhury’s piece.
2.1 Areeq Chowdhury.
Arreq introduced the Cratos project, which aims to certify e-voting systems.
2.2 Liz Ure (SG Elections Team)
Liz commented on what the SG would find useful in the context of its commitment to pilot e-voting. She noted that results from the recent public consultation on electoral reformare currently being analysed, but that changes could involve online voting, voting machines, or both. Any changes would need to focus on ministers’ requirements:
- Improving turnout
- Improving accessibility, especially for those who find voting challenging.
Hence there are several key themes to the SG Election Team’s current work:
- Maintaining the current high level of trust and confidence in Scottish elections
- Ensuring accessibility, so that everyone is be able to vote (e.g. avoiding disability impeding voting) but avoiding introducing digital divides
- Ensuring usability and privacy, which revolves around eligibility, secrecy of how individuals vote, and ensuring people cannot vote multiple times. Hence there is a balance to be found between usability and privacy.
- Ensuring security and integrity, that is, that votes cannot be changed, and knowing where vulnerabilities are so they can be countered – these are key to voter trust and confidence.
- Ensuring verifiability, which is also key to voter trust. So e-voting must prove that only eligible voters have voted, that it has recorded the votes as they were cast, and that it has counted votes correctly.
2.3 Mike Summers (Smartmatic)
Mike spoke about Estonia, which has had e-voting since 2005. Estonians can also vote in person or by post – any voter’s in-person vote can change his or her earlier e-vote in the same election. Around 33% of Estonians currently e-vote, but this number has grown from a very small initial number. Estonia uses strong ID systems to ensure that only eligible votes access e-voting systems. This involves physical ID cards that also give access to services, and enable Estonians to digitally sign documents. Estonia now provides mobile ID via special SIMs.
Mike suggested that the UK’s legislation needs to be updated, and that remote (i.e. postal) voting in Scotland provides a thought-experiment for security. (That is, it’s not necessarily secure.). He said that the UK’s 2007 pilots were not successful, partly because no success criteria were defined. He added that Estonian e-voting has not always been straightforward, and that it is critical that e-voting is verified. This requires audit by voters and other stakeholders. For example, Estonian votes receive receipts with QR codes enabling them to check how their votes have been recorded. He finished by reminding that we need to be aware of the flaws in current (paper) systems, especially in postal voting.
2.4 Simon Hearn (Electoral Reform Services)
Simon introduced Electoral Reform Services – it’s part of the Electoral Reform Society. It has facilitated online voting for trade unions, local election pilots, building societies etc, totaling millions of voters. He stated that public voting needs to be more secure than most private ballots. He agreed that stakeholder trust is important, and stated that people trust the technology of ERS-supported elections – concerns tend to be about the outcomes. He noted that trust in elections has dipped recently, imply need to change systems. He stated that online voters understand what they need to do, except when information is not clearly presented or when devices go wrong. Hence any Scottish e-voting system would need the right balance of information to explain how to use it. (For me, this was reminiscent of Delone and McLean’s information systems success model (Wikipedia): information-quality affects intention to use and actual use.) Simon raised the problem of ‘e-fog’, that is, there is too much arriving in everyone’s in-box. Once consequence is that when awareness campaigns end, turnout drops.
2.5 John Abbott (Yoti)
John started by noting the importance of voters’ perceptions, and that Yoti provides digital IDs from fragmented ‘parts’. He agreed that properly establishing ID is hard. Yoti does this by using biometrics to secure users’ individual vaults, which are linked to passports, one of the ‘gold standards’ of government-issued ID. (He later noted that not everyone has such government-issued ID.) He continued that Yoti has lots of facilities for checking IDs, and that it takes about 5 minutes to create a vault. He noted that when proving age, for example to buy alcohol, any ID system should do only that, and not give out any other information. He agreed that voter trust is important, and raised the issue of possible e-impersonation by other applications.
2.6 Questions and comments
- Concerning resilience:
- It was stated that a successful attack might only affect a few postal votes but could affect many e-votes. In the event of such an emergency, Estonia would fall back on its existing system of paper votes at polling stations.
- It was added that e-voting systems would only be online during voting, thus minimising their availability to be attacked.
- It was also added that in the UK’s EU referendum, because online voter-registrations systems failed, parliament was recalled so the government could legalise extension of the registration period. This could not be done in a parliamentary election because the government would have resigned. Currently, the UK does not have systems to handle such issues.
- Concerning the commitment that communities should allocate 1% of local authority budgets (in local participatory budgeting votes), it was asked how local authorities are to undertake this. (I don’t recall that this question was answered.)
- It was stated that generally e-voting leads to channel-switching, rather than increasing overall turnout, and that turnout is about how important the issue is to voters.
3 My conclusions
There is a lot of e-voting expertise out there! It was good to see that organisations that have experience of e-voting are somewhat cautious about introducing it for national elections. It was also good to become aware of independent work to examine and verify e-voting systems. Although this event was invitation-only, I felt that the speakers were open to questions. It was also good to be able to make connections between, for example, SG team-members and interested academics.
It’s true that UK postal voting has been vulnerable to fraud. For example, a chronology of allegations of electoral offences for 2010 to 2016 takes up 25 pages in a House of Commons Library report– see (White & Johnston, 2017). The report on 2001 to 2010 has a similarly large chronology – see (White & Coleman, 2011). A Parliamentary Affairs report examines an infamous incident in Birmingham in 2005 (Stewart, 2006).
There are still several questions to be answered about national e-voting: one of these is how voting by proxy will be provided in e-voting systems. (I was told that Scotland does not currently allow proxy voting, but I know it has been allowed in England.)
I’m not sure that identity and eligibility issues have been solved. For example, any voting systems need to handle the different citizenship and residence eligibilities for local government elections, general elections and any future referenda. They may need to handle participatory budgeting eligibility, such as allowing voting by anyone over a certain age who lives, works, studies or volunteers in the relevant area.
Voting records will need to be separate from other aspects of identity, yet many people will want single sign-on for all local, Scottish and UK services, including e-voting, which could enable attackers to access all of such users’ data. (Systems will often need to prevent access to such data, just replying whether a user is eligible to vote or receive the service in question. However, if the system also contains medical histories, doctors will need to be able to access all of these.) Others will want all services to be entirely separate, or at least accessed via different systems and credentials.
The concerns about reciprocal authentication (users to systems, systems to users) remain, as does my uneasiness about duplication of effort and possible lack of co-ordination between two identity work-streams and the e-voting workstream.
4 Appendix and references
The following is just from my initial reading. There is no doubt more to discover.
4.1 Points from (Alpár et al., 2011)
- Identity is not absolute. That is any person may have more than one identity, e.g. employee, citizen, organisation member.
- Identity is not unique. That is, any person may have several roles.
- Identity is dynamic. That is, we change over time.
- Identities may need to exist after people expire. That is, various records (e.g. tax) must not expire when we do.
- Identities are not only what we say we are, but also what others we say we are. That is, for example, doctors can add medical facts to our records.
- There may be issues when identities need to merge. For example, two organisations might merge. If someone has an identity on both organisations’ systems, these identities will need to be merged correctly.
(Alpár et al., 2011) also refer to Cameron’s(2005)‘seven laws of ID’, and add an 8th law: location independence. That is, users should be able to authenticate to and access systems from wherever they are, on any device.
4.2 Points from (Zwingelberg & Hansen, 2012) about privacy protection goals
These goals need to be achieved in any online ID system both initially and over time.
- Confidentiality means that an unauthorised access to information or systems is prevented.
- Integrity means that information or systems are protected from unauthorised or improper modifications.
- Availability means that information or systems are available when needed.
- Unlinkability means that all data processing is operated in such a way that data (e.g. on one IDP system) are unlinkable to other data. For example, it should not be possible my medical records to be linked to anything else, except possibly with my informed consent.
- Transparency means that users, IDPs and RPs involved in data processing can comprehend the legal, technical, and organisational conditions, before, during and after the processing.
- Intervenability means that those involved in data processing, including the people whose data are processed, have the possibility to intervene, where necessary.
Alpár, G., Hoepman, J.-H., & Siljee, J. (2011). The Identity Crisis. Security, Privacy and Usability Issues in Identity Management. ArXiv Preprint, 1–15. Retrieved from http://arxiv.org/abs/1101.0427
Cameron, K. (2005). The Laws of Identity. Retrieved from http://www.identityblog.com/stories/2005/05/13/TheLawsOfIdentity.pdf
Stewart, J. (2006). A banana republic? The investigation into electoral fraud by the Birmingham election court. Parliamentary Affairs, 59(4), 654–667. https://doi.org/10.1093/pa/gsl020
White, I., & Coleman, C. (2011). Postal Voting & Electoral Fraud. World. Retrieved from http://researchbriefings.parliament.uk/ResearchBriefing/Summary/SN03667#fullreport
White, I., & Johnston, N. (2017). Electoral fraud since 2010. Retrieved from http://researchbriefings.parliament.uk/ResearchBriefing/Summary/SN06255#fullreport
Zwingelberg, H., & Hansen, M. (2012). Privacy protection goals and their implications for eID systems. IFIP Advances in Information and Communication Technology, 375 AICT, 245–260. https://doi.org/10.1007/978-3-642-31668-5_19