Saturday March 24th saw the New Democratic Party in Canada hold a leadership convention. Nothing new in that, except this time instead of the usual sending pre-selected delegates to represent regions, and vote on the floor on behalf of party members, from what frankly is a geographically huge country, this convention was unique, and somewhat experimental, implementing an online e-voting system for any member to participate in each ballot from anywhere.
On paper it is seemingly an acceptable technological challenge, and nothing that is totally new within secure e-commerce, or even corporate share holder events. The NDP have 130 000 declared members; it is a simple process to tag each with a unique online identifier for tracking, and provide a login/password for e-voting access.
The problem is tying an online system to a live, dynamic multi-ballot political leadership conference where candidates are voted off the list at each stage, and opening windows for members to vote again. At any point, if the technology breaks down, or the online security is breached, the entire process can stop. In a delicate political situation where the leadership of a party is at stake, any issue which stalls access, or deems the process unreliable, can have major impacts. Especially for a party which holds official opposition status.
During the actual convention, as the 2nd ballot opportunity was opened an apparent DDoS attack on the NDP e-voting system was launched. This affected not only party members trying to access and vote online, but also the 4300 at the actual Toronto convention site, as that was the system they had to use. The snaking lineups of people trying to vote from the convention floor only mirrored the frustration of thousands more attempting to vote from across the country, in fact some were on holiday or business in the US and elsewhere worldwide. While online service was restored to the conference floor, and later to the wider online voter base for the 2nd ballot, problems surfaced again for the 3rd, and later 4th and final vote.
To make it clear: the NDP convention team itself stated to the assembled media it was a DDoS attack, and they had identified two IP addresses as being responsible. This while some media outlets, and social media pundits, were messaging ‘hack’. There is a large difference between the two definitions: DDoS – commonly defined as ‘distributed denial of service’ is designed to overload a web server using multiple computers, on many different IPs, and essentially overwhelming its ability to individually serve a webpage or program. As an analogy, it’s like jamming a multi-line phone board with calls. At a certain point the capacity to serve content breaks down. A ‘hack’ is different. In the negative sense it is an attempt to subvert security controls, enter into an online database of information and page content, and either download, manipulate or alter that content.
The NDP have Price WaterHouse for the voting audit, and one hopes they will report very quickly – at the very least to affirm the security around the online voting process was not compromised.
As an affirmation, what the NDP accomplished during the actual convention day is the way forward. Despite a total of 8 hours delay due to online voting technology issues: and kudos to the conventioneers, media and online participants who stayed, it allowed for a more direct and personal interaction for NDP members. (Note – I am not a member of any party, and did not participate in the vote)
The NDP hired the firm SKYTL – a Spain based e-democracy company, with offices in Canada, to run the e-voting system for the convention. Despite the on-day issues it appears they were able to either overcome, or had back-up plans in place for a credible compromise.
The lesson is twofold: securing an online voting process is one issue, and there is nothing indicating the actual voter database, or information was breached during the NDP convention. However, a DDoS is a simple, effective method to upset online participatory democracy – it could be initiated by bored teenagers, a rival party, a company, or even a country. How many were prevented from voting online is the question – how many gave up? The optics for the NDP are not good: during spring 2011 Federal election, and the leadership campaign, the party has almost doubled to 130 000 members, yet only around half voted in the leadership convention.
There is demand for greater participation at all levels of policy and politics – voting is key. The NDP are to be congratulated for taking the risk, and largely accomplishing the goal during a leadership convention. The wake up call is to all other parties, and candidates, and in fact government, that IT security cannot be taken for granted.
As always – your comments and thoughts are welcome….