Elections Canada is working closely with Canadian security officials to address the “real risks” of potential hacking as the agency prepares to roll out new electronic voter-registration technology for the 2019 federal election.
Elections Canada has secured commitments from its outside contractor that the Apple iPads deployed at some advance polls will have never been used − and will never be used in the future − in countries outside of Canada’s “Five Eyes” security partners.
Internal documents reveal the sensitive discussions taking place inside Elections Canada as it prepares for an election campaign in an era when countries around the world are grappling with allegations of foreign interference and hacking in the democratic process.
Canadians will continue to cast their votes on paper ballots in 2019 and there are no federal plans to move toward electronic voting. However, new tablet-based technology called e-poll devices will be used for the first time in 2019 at advance polls in 225 electoral districts in an effort to reduce delays.
These devices will be used to register voters and record the fact that they have voted, replacing paper-based systems. Canadians who vote on election day will still face the traditional registration process in which their name is scratched off the voters’ list before they cast their ballot at a booth.
The contract for providing and servicing the new devices has been awarded to Compugen, a Canadian-based company, that will work with a U.S.-based sub-contractor.
Documents show that Elections Canada relied on extensive advice from the Canadian Security Establishment (CSE) – a federal agency focused on signals intelligence and cybersecurity – in awarding the contract.
Jacques Mailloux, the executive director of Elections Canada’s innovation branch, revealed in a Dec. 5 e-mail to a colleague that the CSE had raised some concerns with Elections Canada’s original plan for the polling technology.
Based on the CSE’s advice, Mr. Mailloux’s note said any bidder must guarantee that e-poll devices used by Elections Canada were never previously used outside of the Five Eyes community and that the devices will never be sold or leased after the election to any organization outside of the Five Eyes.
The Five Eyes refers to an intelligence-sharing agreement between Australia, Britain, Canada, New Zealand and the United States. An Elections Canada spokesperson confirmed the restriction and said it only applies to past and future use. It does not mean the devices must have been manufactured in a Five Eyes country.
Mr. Mailloux also stated in a Nov. 17 e-mail discussion that the “probability of moving to electronic voting in Canada will remain 0% for a long time,” but that Elections Canada must be prepared for the risks involved with its move to electronic registration.
“Canada will continue to have a robust, end-to-end verifiable voting system that has people presenting themselves to a polling place, showing ID and casting a paper ballot in an observable voting environment,” he wrote. “That is not to say that there are no risks, obviously. But we need to focus on the real risks that we will face with the specific plans that Elections Canada has for introduction of technology at the polls for GE43 [General Election 43 in 2019].”
The documents were obtained by researcher Ken Rubin via the Access to Information Act and provided to The Globe and Mail.
The CSE issued a public report in 2017 that outlined the specific security risks of moving to an electronic registration system.
“If voter registration occurs online, adversaries could use cybercapabilities to pollute the database with fake voter records,” the CSE warned. “They could also render the website inaccessible or have it display misleading information. Moreover, they could attempt to erase or encrypt the data and thereby make it unavailable. … It is also possible that the voter database – potentially containing millions of personal identity records – could be stolen, resulting in a massive breach of privacy.”
Electronic voter registration is already in place in Alberta, British Columbia, the Northwest Territories, Prince Edward Island and Saskatchewan.
A draft Elections Canada memo on “Electoral Integrity” dated October, 2017, states that “it has been determined that it is highly probable that cybercapabilities will be deployed in Canada ahead of the 2019 general election.”
As an example of cyberrisks, the memo points to the fact that U.S. Democratic presidential nominee Hillary Clinton faced a security breach in which private e-mails were stolen and published on WikiLeaks in 2016.