Trade Unions and E-Voting, is it possible?
A SECURE SYSTEM FOR BALLOTS AND ELECTIONS
Electronic voting in the UK
In 2014 over 400 organisations throughout the UK provided their stakeholders with the opportunity to cast votes electronically – whether online, by telephone or by text, using the services of Electoral Reform Services.
Over 1.0 million electronic votes were received by ERS with voters voting in all types of elections and on all types of issues in all sectors of the economy.
- Mutual Organisations - >30 building societies and co-operatives representing 10 million members voting on the appointment of Directors or electing other representatives and voting on AGM resolutions.
- Membership Organisations: Institutes, Associations and Trade Unions - >200 membership organisations representing 3 million members, electing their representatives, voting on AGM resolutions or participating in consultative ballots (including, all of the UK’s major political parties).
- Community and Health Based Organisations - >30 community and health based organisations representing 100,000 tenants and residents electing community representatives and participating in consultative ballots.
- Corporate: Companies and Partnerships - >150 companies with over 1 million employees electing staff representatives and voting in consultative ballots.
Some of these organisations only allowed voting using electronic channels but many incorporate electronic voting alongside a traditional postal voting process.
HOW DOES SECURE ELECTRONIC VOTING WORK
Casting an electronic vote is usually relatively straightforward and is a familiar process to people accustomed to communicating or transacting electronically.
It involves either accessing a website or calling a telephone number and following the written or verbal instruction or by sending a text in a specific format. To authenticate the voter, security codes or other unique identifiers are used to access the electronic systems.
The votes cast electronically are stored as data and counted using vote counting software. If combined with postal voting, electronic votes are added to the postal votes to determine the result of the ballot.
Example Online Voting Site Pages using Security Codes
Confirmation of voting selections
Confirmation of vote cast
Please view the live e-voting demonstration website using the following details:
Security code 1: 012001
Security code 2: 0123
Electronic voting and trade union ballots
In a ballot conducted under the 1992 Act, a ballot paper is required to be given a unique sequential number and sent to the member by post. When voting electronically, a voter is confirmed as eligible to vote and able to cast a vote on the system through the use of authentication information. The instructions on how to vote and the authentication information can be circulated by post, e-mail, text or in person.
Authenticating the Voter
Different methods of authentication can be used to enable voters to cast their electronic votes, e.g. single use security codes, personal ID information or membership affiliation information. An electronic voting system must be able to identify that the information being provided to authenticate the voter is the information required to enable a vote to be cast and recorded in that particular ballot and it must be unique to the voter.
The vast majority of organisations working with ERS will issue their voters with randomly generated single use security codes to enable them to access the electronic voting systems. This is similar to a postal ballot, albeit more complicated, where a ballot paper number is used to make the ballot paper unique. Other organisations have required voters to provide personal identifiers such as dates of birth, and postcodes (online or by text) or a membership number and a date of birth.
Secure Delivery of the Electronic Voting Information
To maintain the security and integrity of any ballot, an appropriately secure means of distribution is required for the delivery of the electronic voting information. Voting information can be distributed in a variety of different ways, by post, by e-mail or by text. Each of these methods require the prior collection of the delivery address, whether postal, e-mail or phone number. Alternatively, voting information can be collected in person at an advertised collection point. If a voter is being provided with single use security codes then the distribution method must be secure and personal. There are known risks associated with the method of delivery of the voting information and these can be mitigated against.
Traditionally, voting information for ballots has been distributed by post but now the distribution of electronic voting security codes by email or text is common practice in a large number of private ballots managed by ERS. This is similar to processes adopted by organisations providing access to secure online or telephone systems for the purpose of conducting financial or other similar private transactions. Of course there are risks in any method of distribution - email, post, even face-to-face - and these risks have to be assessed alongside the costs and benefits of each method. For example, it is generally accepted that the use of e-mail is a low risk process that enables the most cost-effective communications to voters while maximising voter participation. The online voting security codes can only be used once by a voter and no personal data is displayed on the voting site that the security codes are used to access. Security codes are only sent to the e-mail address that a member/voter has registered as their e-mail contact address. Security can be further enhanced by delivering parts of the authentication by separate delivery methods, e.g. by e-mail and post. However, our experience suggests this split distribution is problematic for both the voter to receive both pieces of information and the organisation ensuring they have all the required delivery address information.
Providing multiple voting channel options and detecting multiple voting
Providing multiple voting channels through which a vote can be cast gives voters greater flexibility and increases accessibility but does create the possibility of multiple voting. To prevent multiple voting, whether voting by post or electronically voters are required to provide their unique authentication information. For example, in addition to a ballot paper number, unique security codes are commonly printed onto a ballot paper and instructions are provided on how to vote using an electronic voting channel. On receipt of postal or electronic votes the administrator of the ballot will check to see if the security codes have been used to authenticate more than one vote. If they have then appropriate rules will be used to invalidate one or all votes.
Frustrating the Vote
In a ballot using an electronic voting system, ensuring that the voter has the opportunity to vote could be frustrated by third parties either interfering with the method of delivery of the voter information or preventing access to the voting channel. Our experience suggests that deliberate interference with the voting system or method of delivery by third parties is extremely rare and a low risk. Where issues do occur they are usually inadvertent consequences of other processes, e.g. spam filters, file walls.
Frustrating the method of delivery
The methods of delivery of electronic voter information is increasingly by e-mail or by text message but also still by post. All of these methods, of course, require the organisation holding the ballot to have collected this information in advance from the eligible voters. In any ballot it is advisable, for reasons of secrecy, for an eligible voter to only provide a workplace postal, e-mail address or work telephone number as a delivery address when no reasonable private alternative is available.
It is standard and good practice for organisations and individuals to block the delivery of e-mails of a particular type or character where they may be deemed to be potentially harmful to the systems receiving the e-mail. It logically follows that it is therefore a simple step to block the delivery of the voter information being delivered through a particular e-mail system. Whether it is appropriate, particularly in relation to trade union ballots, for organisations to be prevented from blocking ballot e-mails is a matter for the legislatures and policy makers to determine. It is impossible to say whether it is likely that organisations, for whatever reason, will routinely block the delivery of e-mails containing voting information. To our knowledge and from our experience of over 20 years of conducting ballots under the 1992 Act, the only occasions where delivery of postal material has been blocked by an organisation is on a handful of occasions where significant numbers of ballot envelopes were being delivered to the organisation. We are not aware of a situation where an organisation has deliberately blocked the receipt of text messages or e-mails in relation to other ballots ERS had administered.
Frustrating access to the voting channel
In most instances it is very unlikely that an unconnected malicious third party would seek to deny voters access to an electronic voting system for a ballot conducted in relation to the 1992 Act. There are of course some high profile elections or ballots that might draw unwanted malicious attention and the administrator should have systems in place to detect these and adapt accordingly. It is more likely that organisations will, on the grounds of inconvenience or risk, seek to restrict the access of voters to the electronic voting systems through their proprietary systems. Whilst it would be unlikely for this to routinely occur, it is another factor that should be considered when regulating in this area.
VOTES CAST ARE SECRET
With any balloting method, whether postal, electronic or telephone, to ensure the secrecy of a vote it is advisable to use an independent person to control both the distribution of the voting information and to administer the receipt, recording and counting of votes.
We discussed above how electronic voting information and security codes can be distributed to the voter by various means and that there are risks associated with any transfer of information that requires a third party carrier. Once delivered, the vote cast must be secret. There is good practice advice for voters on how to cast their vote in secret and also good practice procedures that should be used by the independent person storing the votes.
Advice for Voters
Many of the issues relating to casting an electronic vote in secret are similar to those when completing and returning a postal ballot paper. We discuss below the issues in relation to the security of electronic devices used to cast votes but specifically in relation to secrecy voters should consider their physical location when they cast their vote and the proximity of others to them. Specific issues exist in relation to voters using third party electronic devices, particularly in relation to employment and the workplace. For example, employers commonly in employment contracts will reserve rights in relation to the use of company supplied hardware and software and could through the use of key stroke or other similar software determine how an employee has voted in a particular ballot or very simply whether they have participated in a ballot.
Separation of Distribution of the Voter Information and Recording of the Vote
It is good practice to separate, physically and electronically, the system and database used for the distribution of the voter information from the database used to store the votes cast on the electronic voting system. The only commonality between these two systems being the authentication codes used by the voters. This ensures that the voter’s identity is separated from their voting preference but, as currently with public elections and other postal ballots this allows, in the event of queries or challenges, for the independent person to investigate and if need be invalidate the votes from a particular voter. It may be appropriate for the data related to the ballot to be encrypted when stored to further enhance the security and secrecy of the vote.
The risk of any unfairness or malpractice is minimised
In any ballot, whether conducted by post or through electronic channels, it is not possible to remove all the potential for malpractice. However it is possible, through appropriate risk management and good practice to detect, with a high degree of confidence, malicious activity and therefore reduce significantly the likelihood of its success.
The expectation by an organisation using a third party administrators electronic voting system should be that the system has a high level of system and data security and that the administrator has a rigorous quality assurance system supporting this.
Electronic Voter System Security
The system should be built and configured according to recognised industry standards and should have been independently tested. For example, an online voting system should be regularly scanned for vulnerabilities by an independent ASV (Approved Scanning Vendor) such as the PCI Security Standards Council and regularly independently penetration tested by a specialist web application security company.
Infrastructure supporting the systems should be robust and mitigate against downtime or interruption of service, for example through the use of redundant architecture and system replication. Further, we would expect that when online voting is utilised an Extended Validation SSL certificate, with a high level of encryption, is used to give the voters greater confidence that the transfer of their vote through the voting website is secure.
Quality Assurance and Vote Monitoring Procedures
Third party administrators should be able to demonstrate that they have rigorous quality assurance procedures and processes. Evidence such as certification in quality management and information security, e.g. ISO9001 and ISO27001 would be expected.
In addition routine monitoring of votes being cast, similar to those already used on postal voting should be standard practice. For example, monitoring of pattern and frequency of votes being cast, internet protocol addresses, call or text numbers. All of which can be undertaken without jeopardising the secrecy of the individuals vote.
The Voters Systems
The greater opportunity, although again not necessarily a greater likelihood, for malpractice is in relation to the electronic devices used by the voter to cast their vote and a voters own personal data security awareness.
With personal devices there is always a possibility that malicious software is present. If designed specifically in relation to a ballot it could disrupt, change or read and communicate to a third party the voters vote. Whilst anti-virus software exists, it must be kept up to date and can only protect against known issues. It is important here to ensure voters are aware of the risk of using electronic devices and maintaining personal data security. For example, keeping authentication codes secret and appropriately deleting and destroying voting information.
It is possible to provide voters with the opportunity to independently check if their vote has been received and how it has been recorded. This is known as a voter verified audit trail (vvat). This can be setup using voter receipts and separate websites or telephone lines to confirm the vote or even a separate postal receipt sent to a personal postal address. For contentious and high profile ballots the use of vvat may be an added security measure that enhances the integrity of the ballot.
BENEFITS OF ELECTRONIC VOTING
People are now using electronic devices every day to transact and communicate and there is an increasing expectation that they should be able to vote electronically. As with any method of balloting there are as we have seen risks connected with electronic voting but their also notable benefits.
Flexibility and Efficiency
Through the use of e-mail and text the opportunity to vote can be delivered promptly and efficiently to voters. When multiple voting channels are provided electronic voting can provide voters with the choice of voting in the manner that best suits them and reduces barriers to entry.
Accessibility and Accuracy
If designed correctly electronic voting can facilitate the use of assistive technologies (for example, screen reading software) enabling people with physical disabilities to participate in a ballot without the requirement to divulge to a third party how they wish to vote. Electronic voting system can also provide voters with the opportunity to correct their votes and prevent the casting of spoilt votes.
Engagement and Participation
Particularly in relation to online voting, voters can be presented with a more engaging voting experience, increasing the likelihood that voters will participate in a ballot from an informed position.
The provision of electronic voting in a ballot will not of itself increase participation but it does enable voters to cast their votes with greater certainty of receipt by the required deadline when reminded to do so.
Outside of public elections, every year in the UK millions of individuals have the opportunity to vote electronically in ballots being held by the organisations to which they have chosen to belong or are employed by. The only area where individuals are not able to vote electronically is in relation to the statutory ballots that are required by the Trade Union and Labour Relations 1992 Act.
There are risks associated with electronic voting but these are essentially similar to the risks associated with any secure electronic process. Many of the risks are also of the same nature as the risks already related to postal voting that is allowable under the 1992 Act, e.g. coercion and secrecy.
There is a small potential that electronic voting could prove problematic when third party, generally employer resources, are used to cast a vote electronically. But these factors can be avoided through voter education and the use of private addresses (e-mail, postal, telephone) rather than workplace addresses.
It is right and proper that appropriate consideration is given to the use of electronic voting methods in ballots and elections that are of public interest. ERS is of the opinion that the standards required for these ballots can be achieved.