ISLAMABAD: A task force comprising IT experts constituted by the Election Commission of Pakistan (ECP) to examine the possibility of introducing internet voting facility for overseas Pakistanis has warned that the system is likely to be attacked by foreign governments and intelligence agencies.

A report of the task force made public by the ECP says foreign agencies pose an entirely different class of threat as compared to normal hackers. These organisations typically have vast resources and capabilities at their disposal. Their attacks can be extremely stealthy and of a magnitude that is sometimes difficult for a layman to even comprehend.

The task force says the system does not provide ballot secrecy as required under Clause 94 of the Elections Act, 2017, and Article 226 of the Constitution. The shortcoming is inherent to the proposed model of internet voting system.

It notes that casting votes outside a poll-booth environment typically enables vote buying and voter coercion. There is a real possibility that votes will be bought and sold overseas in regions where the ECP has no mandate to investigate or prosecute such attempts.

“We discover that users can easily mount attacks on this system using their web browsers, whereby they can cast votes for whichever national and provincial seat they choose, regardless of their constituency. These attacks can be launched with moderate technical ability and can easily be automated to manipulate votes at a large scale,” the report says.

The task force also talks of possibility of phishing attacks, whereby an attacker creates doubt and confusion in the minds of voters with fake and misleading emails. “We successfully sent fake emails addressed from Nadra, with content of our choice, which directed voters to a fake voting website, identical to the iVOTE portal in appearance.”

It says that iVOTE employs certain third-party security components which have been phased out because their security has been demonstrably compromised. These components can be exploited by attackers using freely available tools.

It warns that lack of planning also poses considerable security risk in that certain critical security processes are vulnerable to insider attacks, that is, certain system operators may be in a position to attack the system from within and modify the results.

Protection against such attacks requires formulation of security policies, procedural controls, security clearances, etc, which are very intensive and time-consuming processes.

Ideally new voting systems should be deployed progressively, starting with mock trials, deployment in surveys and non-political elections, followed by small-scale elections, and then scaling up over a period of years.

This approach — undertaken by countries like Switzerland and Estonia — has the advantage of identifying vulnerabilities at every step, while at the same time containing the risk appropriately. This also enables voters to become more familiar with the system and for developers to incorporate improvements in the system.

Published in Dawn, August 15th, 2018