Paper ballots protect against hacks, but other election cyberthreats loom

OTTAWA – As the potential for cyberattacks to undermine the democratic process becomes alarmingly clear, Canadians can take some comfort in the fact that national elections in this country are still conducted the old-fashioned way.

Canada is not immune to cybermischief aimed at suppressing the number of people who vote or manipulating how they vote. But once ballots are cast, not even the most sophisticated cyberattack could tamper with the results.

That’s because Canada still relies on paper ballots, hand-marked by voters and hand-counted by officials in some 25,000 different polling stations across the country, under the watchful eye of scrutineers from each of the major political parties.

“It’s highly decentralized and it’s paper-based so documents can be verified easily afterwards,” says Marc Mayrand, Canada’s chief electoral officer until his retirement just over a year ago.

“So, there may be an error in transmission from time to time or there may be somebody trying to hack the web system that publishes results for the general public. But it’s always verifiable, you can always go back to your paper trail.”

The same can’t be said of some other countries that have endured cyberattacks during elections, particularly the United States.

For that matter, it can’t be said of local elections in many Canadian municipalities, which Mayrand notes have been much more enthusiastic about embracing technology like electronic ballot scanners and tabulators and online voting — and which consequently leave municipal elections with a “higher degree of vulnerability” to hacking.

Democratic Institutions Minister Karina Gould says cybersecurity experts recommend sticking with the old-fashioned way of voting for federal elections “because the reliance on paper ballots results in a more secure system.”

But it’s somewhat cold comfort that ballot counting can’t be interfered with if cyber-shenanigans can influence for whom those ballots are cast — or even prevent some Canadians from casting them at all.

So far, the only real mischief in this country was the robocall vote suppression gambit used in the 2011 federal campaign, in which thousands of voters in almost 250 ridings across the country reported receiving automated phone messages advising them, falsely, that their polling stations had been changed. A low-level Conservative operative, who always proclaimed his innocence, was eventually found guilty of employing that scheme in one Ontario riding.

“I won’t hide it. The robocall incident was an eye-opener,” says Mayrand. “As we learned from the robocall incident, technology is extremely cheap and easy to use to try to manipulate the electoral process or voters in that case.”

The incident prompted Mayrand to set up an election integrity office within Elections Canada, aimed at identifying trends in cyberthreats here and around the globe, assessing risk and setting up systems to track and prevent nefarious activities.

The office has undoubtedly been working overtime in the wake of the 2016 U.S. presidential election, in which Russian operatives have been accused of hacking the emails of the Democratic party and its candidate, Hillary Clinton, as well as electronic voting systems in as many as 39 different states.

Moreover, the Kremlin has been accused of orchestrating the use of “bots” — automated software posing as real people on social media platforms like Facebook and Twitter — to disseminate fake news, amplify certain messages and incite animosity and divisions.

Russia, which denies the allegations, has since been accused of orchestrating similar destabilizing electoral activities in the Czech Republic, France, Germany and Mexico.

Mayrand doubts Canada would be as tempting a target for foreign interference in its elections. He’s more concerned about individuals who might want to disrupt an election just for the sake of sowing distrust in the electoral system or political operatives who might try to manipulate the results to favour a certain party.

On that score, bots are already a feature of Canadian campaigns.

Research conducted by communications professors Fenwick McKelvey and Elizabeth Dubois and published last November in Policy Options found that bots were used during the 2015 federal campaign to amplify alternative news sites, as well as in Quebec in 2012 to amplify support for the fledgling Coalition Avenir Quebec.

Amplifier bots “can inflate social media rankings, duping reporters, the public and even parties and politicians into thinking a post has more support than it actually does,” the duo wrote.

With the decline of traditional media as a source of reliable information, Gould, who has been charged with ensuring Canada’s electoral system is protected from cyber threats, sees an additional worry: social media acting as a sort of echo chamber in which voters are only exposed to the views of those who share their viewpoint.

“When you’re out in the world, you interact face-to-face with people with different experiences, from different backgrounds, who have different opinions from you. These individuals might challenge you in your beliefs and influence you to think differently,” she says.

“But online, algorithms can create a filter bubble where we are only exposed to ideas that reinforce our own thinking.”

Social media providers have so far been left to self-police the use of their platforms to manipulate voters and have taken some initial steps to address the problem. But Mayrand thinks it’s time to consider making them legally accountable for how their platforms are used.

“They can’t just operate a highway and ignore all the dangers that run on that highway. Now, it’s a complex issue, it’s a difficult one. but we’re starting to realize, I suspect, that the erosion of traditional media and the opening up to all sorts of information, unfiltered, unfettered, needs to be considered,” he says.

“I don’t know, if you provide a vehicle to commit a crime, I’m not sure you should be entirely free of charge.”

Germany last year introduced legislation that would compel social media giants to quickly remove criminal content and fake news that incites hate or face multi-million-dollar fines.

Gould won’t say whether she believes Canada should take a similar approach. But she says: “We need to balance an individual’s right to free expression with an individual’s right to not be misled and to make decisions for themselves.”

Mayrand also believes it’s high time political parties, which have amassed enormous data bases of detailed personal information on Canadian voters, are held to the same legal standard as any private enterprise for the collection, use and protection of personal data.

On that score, Gould seems content to let parties police themselves, although she’s arranged to have Canada’s electronic spy agency, the Communications Security Establishment, advise parties on best practices to protect themselves from cyber threats.

“No party wants to be responsible for a data breach. It is in their own best interests to protect the data that they have and to use it responsibly,” she says.

Still, in an assessment last June of the cyber threat risk in Canadian elections, the CSE pointed to political parties, individual politicians and the media — both traditional and social — as being most vulnerable.

The agency concluded that there were some low-level, unsophisticated cyber attacks during the 2015 election, which didn’t have any real impact. However, it warned that more attacks — and likely more sophisticated ones — can be expected during the next election in 2019.

Top Stories

Top Stories

Most Watched Today