Evidence of meeting #22 for Procedure and House Affairs in the 43rd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was vote.
A recording is available from Parliament.
12:20 p.m.
President, Arc4dia
Definitely, at the moment, I would use video and voice over apps.
12:20 p.m.
Liberal
Mark Gerretsen Liberal Kingston and the Islands, ON
Okay.
I'll tell you how I picture it. You are authenticated. You are asked how you want to vote. Then you confirm how you want to vote, which is all how the U.K. does it. The final step would be an email sent to you saying “this is how you voted”.
Would that be a secure way of doing it?
12:20 p.m.
Associate Professor, University of Western Ontario, As an Individual
No.
12:20 p.m.
Associate Professor, University of Western Ontario, As an Individual
Email is not encrypted end to end.
12:20 p.m.
Liberal
Mark Gerretsen Liberal Kingston and the Islands, ON
No, no, the email is just an email confirmation of how you voted. It's just to let you know. That's your secondary step that you guys talked about—
12:20 p.m.
Liberal
12:20 p.m.
Bloc
Christine Normandin Bloc Saint-Jean, QC
Thank you, Madam Chair.
Professor Essex, you said earlier that it is important to have a way to recognize when things go awry, but it is even more important to put that into practice.
Before the result of the vote is announced, the IT or security service could deliver a certificate stating that no technical problem occurred and there was no cyber attack. Only once that has been done would the result of the vote be revealed.
Would that be a good idea?
12:20 p.m.
Associate Professor, University of Western Ontario, As an Individual
There are a number of ways you could go about it. These would be procedural matters. The core procedure that needs to be in place is something to handle both, (a), when somebody doesn't have an opportunity to vote because of some kind of network issue, such as when the website goes down and you need to be able to recover from it; and (b), if it is detected that a member's vote was changed by accident, error, or otherwise. There needs to be a method to recover from both of those.
It certainly seems that you may want to have at least some kind of tiered or staged announcement of the vote outcome, a sort of preliminary and then final vote. You can be optimistic about it and announce a preliminary result, subject to the CSE or whatever. IT security might want to apply to it afterwards.
12:25 p.m.
Bloc
Christine Normandin Bloc Saint-Jean, QC
Mr. Roberge, can a security certificate be obtained quickly?
12:25 p.m.
President, Arc4dia
Who would be issuing that certificate?
I am not sure I understand.
12:25 p.m.
Bloc
Christine Normandin Bloc Saint-Jean, QC
It could be provided by the House technical team. The certificate would state that no issue or cyber attack occurred during the vote.
12:25 p.m.
President, Arc4dia
I don't think such a certificate exists. However, we can have a measure of certainty.
12:25 p.m.
Bloc
Christine Normandin Bloc Saint-Jean, QC
Mr. Morden, do you think it is important to have some time between the vote announcement and the vote itself for members to be able to come together and discuss? A vote is never black or white. It is important to give whips time in the democratic process.
12:25 p.m.
Research Director, Samara Centre for Democracy
I think time and predictability should be primary, first-order principles of a virtual parliament.
12:25 p.m.
NDP
Rachel Blaney NDP North Island—Powell River, BC
Dr. Essex, you were going to answer Mr. Gerretsen's question earlier. I'm really curious to hear your response.
12:25 p.m.
Associate Professor, University of Western Ontario, As an Individual
May I ask which question of the many I was asked?
12:25 p.m.
NDP
Rachel Blaney NDP North Island—Powell River, BC
It was just at the end, when he talked about the process that he saw. He outlined the email verification. You said there were concerns about that. I'm just wondering if you could clarify what those concerns would be.
12:25 p.m.
Associate Professor, University of Western Ontario, As an Individual
Those were concerns about email verification.
12:25 p.m.
Associate Professor, University of Western Ontario, As an Individual
Well, there has to be some avenue to verify or identify that a vote was correctly recorded. That could be via a website or some other channel. The issue we have with email is that it's not encrypted end to end. It's not a suitable technology for this purpose.
12:25 p.m.
NDP
Rachel Blaney NDP North Island—Powell River, BC
Thank you.
Mr. Roberge, you were asked a question about what method is the best—I'm going back to Mr. Gerretsen's question again—but what is the best method for transparency in voting? You said on the screen, yea or nay.
Can you speak about why that is the most secure, and any concerns you may have about using a smartphone, for example, to vote in Parliament.
12:25 p.m.
President, Arc4dia
To clarify Mr. Gerretsen's question, he was asking if the way the U.K. Parliament is doing it at the moment is pretty good. I find the way he described it—I'm not familiar with it—sounded good where you vote by video, and then there's validation through email. That's what I understood.
That sounds like a pretty decent and probably one of the best and easiest implementations we can do at the moment.
The reason is that even though deepfake is on the table, it's still one of the hardest attacks to pull off at the moment versus attacks on applications or some data in the database. Those are two different worlds of attacks. That's why I think voting with video confirmation, and then confirming with another method, either email or application, has high value.
