LAST month, the Supreme Court allowed overseas Pakistanis to vote, using available internet voting software called i-Vote (developed by Nadra) in the upcoming by-polls. An internet voting task force (IVTF) was set up by the Election Commission of Pakistan (ECP) to test the software’s viability. The Supreme Court ordered moving forward on the software, although the IVTF raised concerns in its report. An estimated six million voters overseas will be able to exercise their right to vote.
While the court’s decision is a giant leap forward for the adoption of technology to boost democracy, there are at least three issues to consider. The foremost concerns are of security and reliability when it comes to voting over what is called the Internet Ecosystem. In fact, the report is a commendable effort by experts who’ve raised valid points (although other issues, too, could have been highlighted in detail). There is also a feeling that the judgement might not have analysed the recommendations deeply enough.
The issue of security and reliability of internet voting is not new. Renowned software security researchers have often raised concerns about using internet software on a national scale. Internet voting operates in an insecure space. The internet itself and personal computers are not trusted voting agents, and voting via this medium can endanger the poll process through vote-buying, verifiability, accessibility etc.
A fundamental problem underscored in the report is how i-Vote compromises major voting procedures and doesn’t provide ballot secrecy as required by Elections Act 2017 and Article 226 of the Constitution. The report further highlights the possibility of vote-buying and the ECP’s inability to investigate such issues, should they arise, due to a lack of the required mandate.
Some basic issues pertaining to internet voting must be addressed.
More seriously, the report also demonstrates the possibility of attacks on i-Vote which can leave the voting process vulnerable. For example, the report highlights the possibility of large-scale attacks on the system which could be launched simply by a web browser with moderate technical ability. Phishing attacks are also possible, in which misleading emails could be sent to users prompting them to vote on fake voting websites. The usage of phased-out third-party components, due to compromised security, has also been pointed out.
It also appears that the software will be one of the largest deployments anywhere in that it will support 6m overseas voters. One expects extreme caution and prudence for a system to be operated on such a scale but the report points to neglect.
Worryingly, i-Vote was developed without any software requirements specification. This is akin to building a huge housing unit without outlining structural and architectural evaluation and specifications. Would such a housing unit be considered safe to live in? Furthermore, no documentation was found for key operational processes — for instance, who will administer the system, where will it be hosted etc. Also, no planning around monitoring requirements on election day seem to be in place. Although the report highlights critical issues in most components of i-Vote, it could have discussed a few things in greater detail. For example, a more detailed analysis of software code and results of stress testing i-Vote would have been useful.
As far as the judgement is concerned, there appears to be some difference on how the issue has been portrayed (by the court and the IVTF). For example, the judgement says, “While there were certain technical and security apprehensions about allowing overseas Pakistanis to vote via the internet, the report was generally positive and encouraging.” The IVTF says “Hopefully, this discussion thus far demonstrates to the reader why internet voting is recognised by security experts to be a controversial and risky undertaking”, and it concludes by asserting “We would, therefore, urge all stakeholders to exercise extreme caution in approaching the question of internet voting.”
The court order also missed the opportunity to address some fundamental issues pointed out by the IVTF. For example, it didn’t talk about establishing a dedicated R&D cell within the ECP. The IVTF also recommended deploying the system progressively, eg by first using it in surveys and non-political elections. The IVTF’s report recommended considering less risky and less controversial modalities before resorting to the option of internet voting, ie voting through the embassy and postal ballot. These should have been considered.
Any haste in approaching the question of internet voting is undesirable. From what I see, the risks of what we stand to lose outweigh what we can gain by implementing solutions that have not been fully developed. Because of the controversial and risky nature of internet voting, it makes one wonder whether this haste will strengthen democracy or weaken it.
The writer is a freelance contributor based in Lahore.
Published in Dawn, October 2nd, 2018