Fears for online voting security

Dunedin web developer Chris Burgess says there are many potential risks if the Dunedin City...
Dunedin web developer Chris Burgess says there are many potential risks if the Dunedin City Council joins a trial of online voting. Photo by Gerard O'Brien
The Dunedin City Council is being warned online voting could open democracy's door to hackers.

The concern comes from Dunedin based web developer and data protection specialist Chris Burgess, as the council prepares to consider joining an online voting trial.

Councillors at today's full council meeting will vote on whether to join others volunteering to be selected for the trial during next year's local body elections.

That could see the council paying up to $165,000 to participate in the trial, if it was among councils chosen by the Government to participate, a staff report said.

Mr Burgess yesterday said the trial could open the door to new threats, from data security concerns to hacked election results.

While online voting might seek to make it easier, the system was not yet secure enough to ensure hackers did not also take advantage, he believed.

Online voting depended on the security not only of the voting process itself, but the digital devices used by individual voters, many of which were vulnerable.

A hack could take many forms, from data security breaches that resulted in the loss of electors' private information, to a denial of service attack that stopped people voting.

A distortion of election results was a ''major'' risk, especially if online activists decided to target the system ''for the hell of it'' rather than for political purposes.

''[Online voting] enables the ability of people to interfere with democracy in a way that we don't want to see here, or anywhere.''

While traditional ballot papers could also be vulnerable, online voting risked offering ''a force magnifier for the attacker'', Mr Burgess said.

''If I wanted to mess with the postal ballot, sure, it's possible to go letterbox to letterbox ... but to do that on the scale of tens of thousands of votes is a few dollars worth of computing power online.

''It really is that easy for someone with intent.''

And, if an election was disputed, the absence of a paper trail could make recounts more contentious, as well. Mr Burgess is among a group of information technology specialists due to address councillors at today's meeting.

He worked from Dunedin for Wellington based company Fuzion, which had clients on five continents.

Mr Burgess' role was to protect the data of the more than one million individuals covered by the clients' systems.

Council corporate services group manager Sandy Graham remained confident the online voting proposal was robust.

Ms Graham said the council's private elections contractor, Electionz.com Ltd, had been running online elections around Australasia ''without issue for a very long time''.

The Department of Internal Affairs had also issued protocols for the online trial, including for digital security, that were expected to be robust.

The council's expected bill, if it opted to participate in the trial, largely reflected the cost of ensuring each voter had a unique ID and access code for security purposes, Ms Graham said.

''We've considered all those things and we're comfortable that if we follow the protocols the DIA have put in place, together with our service provider, that we will have minimised the risks around any online process,'' Ms Graham said.

The cost of the trial was among concerns to divide other councils which had indicated an earlier willingness to take part.

Eight councils, including Wellington City Council, had confirmed their participation, but three, including Christchurch City Council, had opted not to take part.

Mr Burgess remained sceptical, saying the most likely risk was the council blowing ''a whole lot of money'' on a system with vulnerabilities.


Add a Comment