The Election Commission of Pakistan’s (ECP) task force, made on the directives of the Supreme Court (SC), has pointed out a number of flaws while checking the feasibility of the proposed e-voting mechanism for overseas Pakistanis.
According to a report published by local media, the Internet Voting Task Force (IVTF) has instead advised against implementing the e-voting system.
In April, the SC had formed a task force of the ECP to conduct a technical audit of the Internet voting solution proposed by the National Database and Registration Authority (NADRA).
In a report submitted before the top court on Monday, the IVTF said that while overseas Pakistanis have the right to vote in the elections, the e-voting platform that NADRA had proposed to use for the purpose, iVote, has drawbacks that pose risks to the conduct of transparent voting.
Instead of an e-voting system, the IVTF recommended that in order to include overseas Pakistanis in the electorate, the ECP should introduce postal or embassy voting.
According to the report, the iVote system does not provide secrecy of the ballot, which is a violation of Clause 94 of the Elections Act 2017 and Article 226 of the Constitution.
It also warned that the e-voting system “typically enables vote buying and voter coercion”.
“In our particular case, there is a very real possibility that votes may be bought, sold and coerced overseas in regions where the ECP has no mandate to investigate or prosecute such attempts.”
The report also pointed out that though other countries had employed e-voting systems, none had an overseas population as large as Pakistan. Nearly six million citizens living abroad are eligible voters, IVTF’s report said. The huge number of voters have the potential to influence the outcome of the elections and — in case of a system hack — will have an adverse effect on the “formation and composition of the next government”.
The task force cautioned that since Pakistan’s “mechanisms… are still very fragile”, authorities must not be hasty in employing an e-voting system without taking appropriate measures to ensure that the process will be secure and won’t compromise on the secrecy of ballot.
“Our mechanisms, as evidenced in the aftermath of the General Elections of 2013, are still very fragile. Therefore, electoral improprieties in the overseas voting process (or even the impression of such) can potentially lead to political deadlock and turmoil. To successfully deploy a new technology, we should be cognizant of the relevant social factors,” the IVTF report stated.
The iVote mechanism is also susceptible to cyber-attacks that can be “launched with moderate technical ability and can easily be automated to manipulate votes at a large scale”, the report claimed.
The report disclosed that the IVTF had tested the system by sending “fake emails addressed from NADRA, with content of our choice, which directed voters to a fake voting website, identical to the iVote portal in appearance”.
Such scams, the IVTF report said, would be extremely effective against a population “which is not very tech-savvy”. It pointed out that while the banking sector had a security mechanism to prevent such attacks, the iVote platform had no such system in place.
Furthermore, the relevant authorities had not developed any formal Solution Requirements Specification (SRS) — which is a set of documentation that describes the features and behaviour of a system — neither did they have “a formal specification of the Threat model, which was considered when building this system”.
The IVTF also noted that there was no planning regarding who would be responsible to implement the system and the task force of was unaware of any resources, if any, were allocated for monitoring the system once it would be in place.
“This lack of planning also poses a considerable security risk in that certain critical security processes are vulnerable to insider attacks, i.e. certain system operators may be in a position to attack the system from within and modify the results. Protection against such attacks requires formulation of security policies, procedural controls, security clearances, etc. which are very intensive and time-consuming processes.”
The report further said that due to the absence of key documentation related to key operational processes, the IVTF was “unable to assess [the iVote system] for certain important security attacks”. The task force also suggested that the court consider the 31-page report as a “preliminary analysis” since the team had worked “within a very small-time window, with limited resources”.
In light of its findings, the IVTF team recommended against implementing the iVote system “in its current form” due to the absence of “a bottom-up security culture that is more appropriate to a critical national application such as political elections”.
The team, however, clarified that the findings of the report should not be a cause for “pessimism” and assured that while it was a “controversial and risky undertaking”, an online voting system was not impossible to implement.
The IVTF recommended that the e-voting be introduced “in a piecemeal organic manner starting with multiple small non-political elections (e.g. trade organization, bar councils, engineering bodies, etc.), followed by small-scale political elections (intra-party elections, local government polls, by-elections), and slowly expand in scope”.
It also recommended that the ECP “institutes a dedicated cell to research and develop cutting edge election technologies as well as provide informed and timely technical expertise to stakeholders in the electoral process” as these were “critical shortcomings” in Pakistan’s voting technology.