In my own city, Edmonton, they have been talking up e-voting for a while now. There was an announcement yesterday that a pilot project is being conducted to validate the process of running an online election. (More information can be found here and here.)
First of all, I think that this is exactly the type of pilot project that governments must run to be progressive and forward-thinking. These types of initiatives are high value, not just to validate a solution for this defined need, but for the organization’s other online initiatives. And the proposed e-voting identification process is an interesting one…
To be frank, I don’t have e-voting very high on my personal list of municipal problems to be solved, BUT I do have a keen interest in how people are identified online.
The City’s new project has an identity proofing process for this pilot project. It includes a unique method of collecting identity proofing documents that I haven’t seen before: citizens scan (or take a picture of) their real-world identification, then upload it to the City’s website. Allowed documents include drivers license, passport, Canadian military cards, etc. (see sidebar).
The image of the identification document is then reviewed manually by employees in the elections department and presumably compared to lists of eligible voters. Only when the document matches up with a previously registered voter will a credential be issued to the citizen for voting purposes.
This approach is convenient to citizens, or at least those that are savvy enough to scan a document and upload it to a website (which is probably a pretty high percentage of those that will consider online voting).
But whenever I see ‘convenience’ cited as a reason to do something online, I can’t help but look for the security and privacy compromises required to make that thing convenient. On first review (I haven’t done a deep dive s feel free to correct me!) here are a few things that might be compromised by such a process:
- How does the process ensure that the citizen is in control of the document at the time e-voting registration takes place? For example, the passports for a household might be stored in a filing cabinet. Let’s say one member of the household is politically active and the rest don’t vote at all. How difficult would it be for the one family member to round up the passports and create multiple e-voting credentials?
- There may be a privacy issue here. Scanned identification documents contain a payload of sensitive information. My passport has my legal name and birthdate — two attributes that are useful for the voter vetting process. But it also contains my passport number, my place of birth and my citizenship. None of these attributes are needed by this process, and should not be collected and stored as part of the process. (Update: The City’s 311 service has informed me that the data will be stored in Canada and destroyed no later than December 31, 2012. Also, only authorized personnel can view the data and they are subject to confidentiality agreements.)
- Finally, how can one be sure that the scanned identity document has not been digitally tampered with? Paper and plastic documents have physical safeguards to increase reliability. For example, the Alberta drivers license has a hologram on it and ‘declined width text wave’ feature (and these are just two of a dozen security features). How do these features translate to the scanned image? Assuming many of these features do not translate well, how well does the scan of the document actually prove the citizen’s identity? As a comparison, would such a scan, subsequently printed, be acceptable as ID at the polling station?
It will be interesting to see how these and other challenges of e-voting will be overcome in the coming months.
Mike