Online NEC voting - secret enough?

rwendland Thu Jul 03, 2008 at 01:42:21 PM GMT Print-friendly version Facebook

I've just voted online for the NEC, Treasurer & Auditors, and the voting system secrecy seems inadequate to me. You have to give your membership number to vote, unlike on the paper ballot; and the voting data is transferred unencrypted so could be observed in transit.

Update: The lack of encryption issue has been fixed after I reported it, with voting now at the rather quaint URL: https://clarahost.clara.net/www.kenda.co.uk/labourparty/ - though using a sub-contractor of a sub-contractor of a contractor's SSL Server Certificate means users cannot verify from the certificate or the URL that this is the genuine voting website, and have to take that on trust.




Secrecy and security for web forms is usually provided in the web industry by using HTTPS (Hypertext Transfer Protocol over Secure Socket Layer), which encrypts the data. This is very standard in the industry, and any competent web company can easily deploy this. Is there any good reason why this was not done for the NEC election?

It appears voting has been contracted to Popularis Ltd, who claim on their website that:

On line systems are provided for Popularis by its partner, Everyone Counts using end-to-end encryption of ballots as the basis for security

However for the NEC ballot Popularis appear to have sub-contracted out internet voting to Kenda Electronic Systems Ltd, who do not use end-to-end encryption at their NEC e-voting website http://www.kenda.co.uk/labourparty/ or for the actual vote made by a HTTP POST operation to http://www.kenda.co.uk/labourparty/page1all.php? Why? Companies House records Kenda's sole Nature of Business as "Manufacture other electrical equipment" - so they do not seem to claim expertise in electronic voting.

Does anyone know the rules laid down by the NEC for e-voting standards? The Rule Book does not go to this level of detail, and I cannot find anything more specific online. For the Leader/Deputy Leader election the NEC stipulated "secure e-voting", and I'd expect a similar standard for the NEC election.

If your ISP forces a mandatory HTTP cache on users, as AOL does, then your membership number and votes may for a while be stored on your ISP's computers. Another reason why HTTP is inadequate for a secret ballot in my view.

In principle, because of the lack of encryption, it would be possible to alter the votes during transfer. Or vote again later using your details changing or invalidating your vote. I doubt anyone would bother, but for simple technical change of using HTTPS, this possibility should not be open.

This all looks very shoddily done to me. 



tags: , , (all tags)

Display: Sort:
Online NEC voting - secret enough? | 5 comments (5 topical)

Re: Online NEC voting - secret enough? (#1)

by CitizenAndreas on Thu Jul 03, 2008 at 02:30:56 PM GMT

The contents of the submitted HTTP form could have been intercepted if someone had set up a packet sniffer along the route, but that would mean sifting and deciphering a serious amount of internet traffic. I'm pretty sure that ISP's don't care much about outgoing HTTP posts passing through their proxies and are unlikely to store them.

I'd say it's nothing to worry about.

Personally, I'm not that fussy about secrecy:
Peter Wheeler
Ann Black
Ellie Reeves
Mohammed Azam
Christine Shawcroft
Peter Willsman

Mark McDonald - Treasurer

Kevin Hepworth - Auditor


Re: Online NEC voting - secret enough? (#2)

by Free Radical on Thu Jul 03, 2008 at 04:56:51 PM GMT

Rwendland

This is a very good question indeed. One that I have previously put to an NEC member, who was unable to get much of an answer from the party.

Appropriate questions to be put to companies invovled in voting (and any subcontractor) might be:

1. Regarding any personal information held by the company (or any subcontractor) - what assurances are there that personal information on members is used only for the intended purposes?


2. What assurances are there that personal information is held in a secure manner?


3. What controls are in place to assure the integrity of the votes that are cast?


4. What was the due diligence process in the Labour Party's choosing of Popularis (and did this cover the use of subcontractors)?

Last time around I believe Tribune reported that a deputy regional director was alleged to have asked a member to ring round canvassing against the grassroots alliance candidates. I understand they replied that the turnout was low and they were merely trying to encourage voting. But presumably noone should know the turnout figures anyway.

For a long time the Labour Party used the Electoral Reform Society, which was widely recognised for its impartiality.



Re: Online NEC voting - secret enough? (#3)

by redpants on Thu Jul 03, 2008 at 05:52:24 PM GMT

Popularis is run by Anne Hock who has a long history of running ballots for Labour and trade unions.  Previously Popularis was known as election.com and before that was Unity Ballot Services - part of Unity Trust Bank. 

Anne is one of those Labour backroom people who makes the party machinery run, when all about are losing their heads, and so I would say that she would ensure that the process is scrupulously run and entirely honest. 


[ Parent ]

Re: Online NEC voting - secret enough? (#4)

by rwendland on Thu Jul 03, 2008 at 06:11:18 PM GMT

I've been in touch with Popularis, and Anne Hock says she has been in contact with the Labour Party and the voting link will be changed.


[ Parent ]

Re: Online NEC voting - secret enough? (#5)

by Free Radical on Thu Jul 03, 2008 at 06:51:27 PM GMT

I should emphasise that my comments above do not imply that any individual or organisation is not acting correctly or that they ought to be suspect in any way, but some transparency would be helpful. This is the first time anyone has explained to me who Popularis are. I would hope that the Party did ensure due dilligence when they appointed Popularis. I'm not sure how the use of subcontractors is scrutinised - a question for a lawyer I guess.


[ Parent ]

Online NEC voting - secret enough? | 5 comments (5 topical)