Procedure and House Affairs Committee on June 11th, 2020

Good morning and thank you, Chair.

Thank you for this opportunity to speak to the committee.

As I was preparing for this statement, my son reminded me that a group of owls is called a parliament, so let me say what a hoot it is to be here this morning.

My name is Aleksander Essex. I'm an associate professor of software engineering at Western University. My research is in cybersecurity and cryptography, but my expertise is in the cybersecurity of elections.

I've studied cybersecurity issues of online voting extensively in Canada and abroad. I frequently share these findings with election agencies and commissions, municipal councils and associations. I co-authored the 2013 cybersecurity analysis of vendor proposals for the City of Toronto regarding their online voting RFP. I led a cybersecurity study of online voting use in the 2018 Ontario municipal election. In February I spoke at the New South Wales parliamentary committee on electoral matters about their online voting system. Next month I'll be speaking to a Northwest Territories legislative committee about their new online voting system.

More recently, I've been working with Dr. Goodman—who's speaking next—to try to advance the cause of cybersecurity standards for online voting in Canada. Our country actually has one of the highest rates of online voting use in the world, but somehow we have no standards for any of it. As you can imagine, this has led to a number of troubling incidents and, in my opinion, a very intolerably high cyber-risk exposure.

I've seen a lot of bad voting technology in my time, so back in March, when Dr. Goodman and I heard that Parliament was studying the issue of remote legislative voting, we wanted to get out in front of any potentially dubious proposals, such as the EU Parliament’s idea to use email for voting. We wrote an article in Policy Options to try to provide some food for thought. It was interesting, because although the article was about how to do remote legislative voting in a safe, cyber-conscious way, all the feedback we received revolved around the importance of parliamentary tradition.

I agree that parliamentary tradition is really important, but our present circumstance isn't exactly traditional. The Globe reported this week that there have been 38 regular sittings of the House in the past 12 months. That's not tradition. There were 30 members voting on historic spending measures. That's not tradition. All the members were meeting in a kind of supercommittee but not actually voting. That's not tradition either.

Here we are. What are we going to do?

The good news is that remote legislative voting happens to be a way easier technical problem than online voting for general elections. There are a couple of good reasons for that. One is that unlike a general election, Parliament can support MPs with secure technology and training. Most importantly, legislative votes are not secret. They're a matter of public record. That means you can go back and check what was recorded. It means you can actually detect when things go wrong.

Here's where we have to be careful: It's not enough to be able to check. You need to actually do it, and you need to have procedures in place so that you know what to do when things go wrong.

This might seem like a totally obvious statement, but it's actually not. I mean, it should be, but our experience has demonstrated, time and again, a kind of bias in the election world to, frankly, only prepare for disasters after they've already happened. We're saying let's not wait. Let's anticipate. Let's build it right from the beginning.

Let me give you an example. Six months before the 2018 Ontario municipal election, I did a story with CBC about how I was worried that the cities that were doing online voting didn't seem to have a cyber-incident response plan. Imagine the Internet goes down on election night; what are you going to do? What's your game plan? CBC then went and interviewed a number of city clerks. Several of them admitted that they actually didn't have a plan. One even literally said that they were hoping nothing happened.

What do you think happened? One of the online voting vendors accidentally didn't provide enough bandwidth. The online voting websites of 43 different cities, accounting for almost a million voters, went down on election night, and 35 of those cities used emergency measures to extend the voting period by 24 hours. It wasn't just that these cities didn't have a plan in place. It's that they didn't think it was enough of a risk to even have a plan for it.

You might think that this was just a fluke, but a similar situation happened in New South Wales last year, which is why I was testifying there. I was telling them about what happened in Ontario because it was related. Their registration went down on the eve of the election. You might think that this is all good, that this all applies to general elections, that legislative voting is different. However, just last week in Sarnia, Ontario, a city council vote actually passed by mistake. It turns out that the world “disagree” sounds exactly like the word “agree” if the first syllable drops out in a glitchy Zoom connection.

Fortunately, the staff was on the ball, and they caught it this time, but what about next time? Obviously, we need procedures to make this kind of checking repeatable and, by the way, part of the ultimate eventual tradition.

We have only touched on accidents and mistakes, but we're also worried about deliberate efforts from advanced persistent threat actors like nation states. We have seen these kinds of advanced threat actors living in the IT infrastructure of our cities. If they're willing to spend months mapping out a system for a few thousand dollars of potential ransom money, imagine what they could do to an election. Then, why even hack an election when you could just hack the law itself?

Let me conclude by summarizing a few takeaways. Secure, remote online voting for non-secret parliamentary divisions is doable, but it has to be done right. There have to be procedures for detecting errors, whether they are due to hacking or accidents or disasters. Someone has to be responsible for checking that an MP's vote was correctly recorded. There have to be procedures for granting opportunity to recover from that error, and we have to confront our temptation to think that nothing is going to happen.

I heard that people were talking about tornadoes last night and windows blowing open, and these sorts of things don't happen until one day they do.

Madam Chair, thank you for letting me share these thoughts with you. It would be an honour to answer any questions the committee may have.

Thank you.

Good morning. I’d like to begin by thanking the chair and members of the committee for the invitation and the opportunity to speak today and share my research and thoughts.

I've spent the past 11 years working in the area of electronic voting, both within Canada and internationally. This work has involved leading and coleading projects to examine the effects of remote online voting in the context of municipal elections, indigenous elections and a range of political party votes. Beyond social and political effects, I have been looking at the cybersecurity of digital voting from a policy perspective and exploring regulatory possibilities. Much of this work has involved collaboration with my colleague Dr. Essex.

Today I’d like to make four specific points: one, why online voting works for legislative voting; two, the types of remote electronic voting that could work in a legislative context and which one is best for Canada’s House of Commons at this time; three, how this work could make the legislature more flexible and accessible in the future; and four, some opportunities for thought leadership.

To begin, I’d like to provide the committee with some context about the core debate surrounding voting remotely over the Internet.

There are two primary sides of the debate, which usually focus on deployment in public elections. On the one hand, there are arguments for the benefits of online voting, such as enhanced accessibility, convenience and increased turnout. These benefits have been documented in municipalities and first nations in Canada. On the other hand, however, there are concerns about the cybersecurity and privacy of the vote. In some instances, online voting trials supporting public elections have been halted or cancelled due to security concerns or the detection of vulnerabilities. Two examples include a system in Switzerland and one in New South Wales, Australia.

This debate is relevant for the committee’s consideration because remote online voting can support Parliament to continue during the pandemic without sacrificing representation and the inclusion of members. At the same time, there are unique characteristics about legislative voting that make remote online voting possible and the cybersecurity more solvable than in public elections. As my colleague mentioned, the reasons for this are outlined in our brief to PROC: An MP’s vote is a matter of public record, and the federal government has the resources and capacity to support the cybersecurity infrastructure and implement necessary policy and procedures.

Based on our review, there are four main types of electronic voting that could enable remote voting for MPs. There's email voting, where members receive a ballot form electronically via email and submit their votes via email. This approach is being used in the EU Parliament. There's web-based voting, which is used in public elections and party votes in Canada. This involves ballots being accessed and cast via a website. An example of this is the U.K. House of Commons' MemberHub system. There's application-based voting, where members download an application to access and cast ballots. The Chamber of Deputies in Brazil has taken this approach. There's also video voting, where members vote via video by a show of hands or by voice. This is being used by local councils across Canada. Belgium, for example, is also using this for its committee votes.

All of these approaches have benefits and challenges, with email voting being the least secure and posing the greatest risk. In a legislative context, video voting presents probably the best or most usable solution for regular non-anonymous parliamentary votes. There are some benefits to this approach: It poses less risk, although there are still risks that need to be managed; it is the easiest to deploy and requires less technology; and it interfaces more closely with the parliamentary tradition of standing in the House.

Implementing video-based voting would require establishing some procedures. Here are some examples.

One is establishing whose responsibility it is to watch and record a vote. This could include staff members, MPs, party whip offices or perhaps a special segment of staff who support digital House matters. One consideration here is to think about putting a process in place where votes are double verified either by two individuals or across two different areas.

Another example would be mandating neutral backgrounds in video conferences to ensure that there are no images in the background that could send messages or carry a partisan tone that couldn’t be visually signalled in the legislature.

A third example would be allowing the Speaker to call for a revote in the case of technical errors. This was a procedural change introduced in the U.K., for example.

This does not mean video voting is without challenges or would work in all contexts. Anonymous votes, for example, would not replicate well on Zoom.

My third point has to do with making the legislature more flexible and accessible. Enabling a system for remote online voting could have future benefits in keeping legislative business moving in times of crisis, such as with COVID-19, climate change and future viruses, and in the context of accessibility for individual MPs.

The option of remote online voting could provide MPs with improved access to voting under special circumstances, such as in situations of maternity leave or parental leave following the birth of a child; in times when an MP's constituency is faced with a specific crisis, and they are torn between being in their community or advocating for their constituents' interests in Ottawa; or in cases of sickness where a member is not able to physically attend the legislature.

This committee considered proxy voting and electronic voting in 2016 as part of a study on how to make the legislature more family-friendly. However, no recommendations were made at that time. Other legislatures, like the U.K. House of Commons and Australia's House of Representatives allow for proxy voting for new parents, while Canada's House of Commons currently requires a member to be present in the chamber to have their vote recorded.

I understand that witnesses have been unanimous that the committee consider these changes for the pandemic only. However, thinking about how such a system could enhance the participation, representation and inclusion of members in certain circumstances is part of modernizing the legislature.

In closing, while the committee does not have to engage in a typical online voting debate, we see with regard to public elections, it does have to engage in its own debate about maintaining parliamentary tradition versus modernizing to become agile in uncertain times.

Finally, there are two opportunities for thought leadership. The committee's work in this area on policies and procedures for remote voting could not only benefit the House of Commons in the future but also other legislatures across Canada and abroad.

There is currently no regulation of remote online voting in Canada, so as we think about the adoption of voting technologies in the legislature, we might also reflect on how this conversation could later benefit electoral integrity in the context of public elections.

Thank you.

Thank you very much, Madam Chair and members of the committee, for inviting me to participate.

I will start with a bit about me. I have worked in cybersecurity, facing the most advanced cyber-attacks in the world for the past 20 years, both within government and as an entrepreneur. I am currently leading Arc4dia, where we are providing services, acting as the last line of defence to detect intrusions by leveraging our proprietary software. We have been operating remotely and decentralized since I founded Arc4dia 10 years ago. I also participate within the Bitcoin community, both publicly and within invitation-only fora, as a think tank in security and game theory in the ecosystem.

I came with a few points to share with this committee from listening to the previous meetings. Although I only listened to a few, I do have some observations.

I observed a resistance to change that is driven by a desire to keep what works well, and that, due to past errors, hurts collegiality. It is true that change is a threat vector that can be exploited by others. However, being static is also a weakness that can be exploited to prevent us from fixing what we have broken in the past or what needs to change in order for us to adapt. With the world changing around us, and very fast, with the rise of artificial intelligence combined with cyber-domain attacks and social engineering driven by artificial intelligence, I believe we need to change and adapt and, even better, be ahead of the curve.

To do so, and to dwarf non-genuine influences, we need to strengthen collegiality. It is by knowing each other more intimately that we will detect and see attacks against us and have the agility and the speed necessary to react before damage is done. For example, limiting or reducing face-to-face interaction has been brought up by many during the hearings as a change that will have negative outcomes for the effectiveness of our democracy. These are the kinds of changes where we need to be agile and be able to bring back collegiality. I heard that some get-together dinners were removed from the tradition of the House of Commons, where opposing parties had held discussions in a more relaxed and convivial atmosphere. I would advise you that such sittings are very important in our defence against cyber-domain attacks.

Understanding the nuances of our interpersonal and professional communications is essential in detecting subtle attacks against us. Our adversaries will look for ways to interfere with all forms of communication, and not just the written kind in email, texts and online postings. For example, during video-based presentations they will or could disrupt images and the tone of voice in an effort to inject or alter messages of body language, facial expressions and the intentions of our elected officials. Without our collective understanding of what right looks like, we will fail to see the subtle attacks that will eventually lead to more brazen and flagrant attacks.

I also observed concern with e-voting. E-voting and the use of technology should complement and reinforce one vote. Make sure your voice can be heard and make sure it is accurate. The way I see technology and software is that they augment our reliability and agility in our voting process, and perhaps even make it antifragile. We need to move away from using a single platform to vote, in favour of adding technological compatibilities to strengthen the reliability and the resiliency of voting. Perhaps we should vote on video, as well as signing our votes with dedicated, secure hardware. We can then audit that our votes are correct. Perhaps we could time-stamp our votes with a Bitcoin blockchain, making them forever verifiable.

In short, diversity—one might say multifactor authentication—in our methods of conducting business face to face, by voice and electronically will make it more difficult for our adversaries to achieve their desired outcomes and improves our opportunities to detect their attacks. These ideas and improvements should come gradually, holistically and in an agile process. If not already in place, I would recommend that the House of Commons put in place such processes, supported with permanently ongoing threat and risk assessment, versus the typical static evaluation that ends up on the shelves collecting dust to check some accreditation marks.

In closing, the three observations I have described are woven together by a common thread; that is to say, defending ourselves is more than simply a technology issue. To protect the integrity of the House of Commons and the parliamentary process so that legislation, policies and directives of the Government of Canada truly represent the intentions of the electorate, we need to provide the electorate with the highest level of confidence that the actions of the House of Commons are truly what they are supposed to be.

Regardless of the method of operation, whether it is in person or virtual, the importance of this cannot be overstated.

We require defensive measures, assessed and developed in a holistic and continuous threat-risk managed manner that address all forms of attacks, such as political attacks on infrastructure and people, attacks that attempt to compromise the integrity and loyalty of our people, attacks that attempt to compromise or disrupt the integrity of our supply chains, attacks aimed at disrupting our ability to determine truth from fiction, and of course, attacks that attempt to disrupt or compromise our IT systems. There is no higher calling than to protect our democratic institutions and our country.

I thank you, and I look forward to your questions.

Thank you, Madam Chair, and thanks so much to the members of the committee for this opportunity to address you.

My name is Michael Morden. I'm the research director of the Samara Centre for Democracy. The Samara Centre is an independent, non-partisan charity that is dedicated to strengthening Canadian democracy through research and programming.

We want to thank the committee for undertaking this study. Given the scope of the crisis, the scale of the government's response and the enormous uncertainty that exists, Parliament is not optional at this time. The only question to address ourselves to is how to make it work. Arriving at a solution that commands some measure of cross-partisan support is a solemn responsibility that falls to you.

I understand that our presentation comes perhaps somewhat late in your deliberation. Nevertheless, I think it's useful to consider questions of politics and principle at the same time as technical ones, to remember why we're pursuing this, and not to miss the forest for the trees.

The Samara Centre supports a move in the immediate term to hybrid virtual and in-person sittings of the House of Commons, with remote voting for those who are unable to attend in person. We think the hybrid virtual model is the best among imperfect options.

To be clear, the best of all versions of the House of Commons is the one in which 338 individuals share a room, and there are a lot of reasons for that. We've been a consistent voice in calling for members to spend more time together in Ottawa, to facilitate collegiality and to build informal relationships between members, parties and chambers. However, given the limits imposed through physical distancing, and credible concerns about travel, in our assessment, that option just isn't on the table. We need a full-service Parliament now and, in our view, through the summer.

I hope the option of a full, in-person convening of the Commons will return soon, but we're clearly in a state of deep uncertainty. As the second-largest country on earth, we may find that we're uniquely challenged to get back to full physical national sittings of Parliament. It's a necessary step in the immediate term and a prudent step for the middle term to institute the capacity to resume full parliamentary business with remote participation.

I want to foreground the values that lead us to that conclusion. In times of uncertainty, it's often worthwhile to return to first principles. Parliament exists for scrutiny, to enable the passage of legislation and also for democratic representation. The most desirable pandemic Parliament is one that strikes an appropriate balance between all of those functions. We feel that the current approach, employing a handful of day-long sittings in addition to committee work, is not sufficient to deliver the level of scrutiny, productivity and representation that's required.

We also take issue with any approach that would convene the Commons but exclude most of its members, for example, by operating on the basis of a skeleton crew of 40 or 50 MPs. That approach facilitates some scrutiny and enables the passage of legislation, but in our view, it comes at the expense of democratic representation. Some 18 million Canadians voted last fall to send individual representatives from each of their communities to Ottawa, and it's no small thing to render the vast majority of those communities unrepresented in the Commons while these momentous decisions are being taken.

For that reason, we think the best balance between scrutiny, productivity and representation is struck with a hybrid Parliament permitting remote participation, including remote voting. The technical challenges posed by such an approach are not insurmountable. Many other jurisdictions have walked this road. There are different models available to us, as Dr. Goodman described, and the House of Commons administration deserves particular praise, in our view, for adapting and adding capacity with alacrity.

In our view, there's no question that remote voting is feasible. It's feasible to do it securely, and it only awaits a decision by parliamentarians.

In the early stages of the pandemic, we supported the notion of incremental adaptation. Moving to a hybrid virtual Parliament was never going to be as simple as flipping a switch. We now have proof of concept, both in the experience of other jurisdictions and also in Parliament's own experience of authorizing the virtual conduct of some business activity. At this point, we hope that the committee will provide the Commons with a strong prompt to move as quickly as is feasible to resume full parliamentary business with remote participation.

We believe that legislative business should not be limited to the pandemic response alone. We welcome the granting of committees the opportunity to discuss other issues. We would like to see that reflected in legislative work as well. There are a range of issues that were urgent in January and February of this year that are no less urgent now. Just as doctors warn about the possibility of secondary health crises that are a consequence of delaying treatment for non-COVID-19-related illness, Canada may also become vulnerable to multiple crises during and after the pandemic if we can't attend to the policy needs that existed before it.

We also believe that the hybrid virtual Parliament's business should include opposition days and private members' business. No one has all the answers right now, so this is a really good time for multiple inputs.

In closing, I want to mention briefly that the Samara Centre periodically surveys MPs, and we're doing so now precisely on the question of how the pandemic has affected and should affect parliamentary work. We're always keen to develop an accurate picture of members' views on this issue and develop a body of evidence, and we encourage all members to make use of this anonymous platform to share your expertise.

Thank you very much.

Obviously, the ability to engage in parliamentary debate is central. It speaks to the scrutiny function that Mr. Morden spoke to about presenting motions.

My testimony focused more on the voting aspects, like you said, but that's not to negate the importance of those functions. I don't think they can be replicated in an online setting the way that they take place in the legislature, and I certainly wasn't advocating for that, but I think we need to be able to find a workaround in the interim to keep representation moving and ensure that we're not having these modified sittings with a few MPs where representation is compromised.

I definitely think this is a solution for emergency situations, definitely times of crisis. My point was that we have a crisis now, unfortunately, which presents challenges but also presents opportunities. That's not to say we won't have a crisis in the future.

Government too often is reactive instead of proactive, so let's use this time to develop a thorough, robust solution for emergency situations, because there could be another virus, there could be a revisitation of the COVID rates increasing and there could be an issue of climate change.

My only point about considering modernizing the legislature was specifically enabling remote voting or considering enabling remote voting for specific circumstances that individual MPs may be in, but I definitely am part of the camp that believes that Parliament functions best when members are in the House actively debating and engaging.

What I have received from these deliberations is near-universal consensus that these should be temporary measures. I think it's important that members bear in mind the potential negative consequences. We don't want to diminish the costs, which we think are real, but this isn't, in my view, about modernization. It's really more a radical adaptation for a radical time, which we hope won't persist.

I think we can feel relatively comfortable. I reject the notion of a slippery slope in that I'm fairly confident, based on the deliberation I have heard from members, that they are able to distinguish these times from normal times and would prefer to return to a normal Parliament as soon as possible. I think we have to do what we've done in so many sectors, which is to embrace choices that wouldn't be acceptable in a normal time.

Right. Without going into that we cannot really replace the beer time and get-together time, the social angle of the debate, technically I think it will be possible.

I don't know that it is at the moment, but at the speed that artificial intelligence is going, if we're not careful, it would be possible, eventually, to do deepfakes during video conferencing, potentially.

There was a bit of editing that went on after the fact, but what I am simply here to say is that, compared to the cybersecurity risks of online voting for general elections, online voting for legislative or parliamentary divisions doesn't pose the same sort of basket of threats. It is possible to do with careful design.

Yes. I would echo what my colleague, Mr. Essex, articulated, which is that there are obviously challenges that cybersecurity experts and the cybersecurity community raise with respect to secret ballots in public elections. Because it is an open public vote, we're able to overcome some of those in a legislative context.

When we said that, we were speaking as members of the public looking inside at what is ultimately a mostly opaque infrastructure—the intelligence community, the CSE. We don't really know exactly what they do, but we do know that they're there and we do know that they have a mandate to provide security services for government.

I don't think, if you were a municipal council, you would have access to that level of assistance—