Aleksander Essex Profile picture
Cybersecurity, cryptography, privacy, election technology. Prof at @westernu
Oct 18, 2021 11 tweets 2 min read
Setting aside the dubious normalization of ubiquitous ID checking, vaccine passports create new opportunities for inescapable data collection 🧵 Proponents of vaccine passports rightly point out that showing ID was something we previously had to do, like when buying alcohol or entering a bar
Sep 30, 2020 5 tweets 1 min read
I don't use remote online proctoring services in my courses. As a cybersecurity professor, I couldn't in good conscience make my students download and install something on their device that I wouldn't install myself. lfpress.com/news/local-new… I couldn't in good conscience require my students to submit to facial recognition software when I wouldn't myself. Or grant such an app system-level privileges.
Sep 18, 2020 5 tweets 1 min read
This is what a ballot looks like when you prioritize the needs of voters above the needs of optical-scan equipment Compare: tiny ovals, excessive white space, implicit oval/candidate associations Image
Sep 14, 2020 15 tweets 5 min read
1/5 Online voting vendor @Voatz has been engaged in an alarming campaign in essence to become the gatekeepers of their own cyber accountability. Today I join 70 security experts in a letter admonishing their recent submission to the @USSupremeCourt disclose.io/voatz-response… 2/5 Our response has an unusually diverse list of signatories from academia, industry, and government. It includes those who work in software security in general, as well as those who work in elections in particular, making the case that @Voatz's views are not widely held
Sep 3, 2020 12 tweets 6 min read
Remember when online voting vendor @Voatz referred a @UMich student to the authorities? Well now they're arguing to the @USSupremeCourt that the Computer Fraud and Abuse Act should not be narrowed to protect independent "unauthorized" security research supremecourt.gov/DocketPDF/19/1… At issue is the question of whether independent cybersecurity research is necessary. @Voatz argues research and testing "can be performed by authorized parties" and that "unauthorized research" and dissemination of "theoretical security vulnerabilities" is "harmful".
Jul 25, 2020 4 tweets 4 min read
So @nicolejgoodman and I testified to @HoCCommittees #PROC that remote voting was doable for NON-SECRET votes. The report completely omits this crucial point and instead inexplicably recommends "conducting votes via SECRET ballots electronically" We detailed in an @IRPP oped why NON-SECRET voting was necessary for verifiability. We submitted this breif to the committee and summarized it in our testimony. Incredibly, these arguments were all omitted from the report and our brief wasn't even cited.
policyoptions.irpp.org/magazines/marc…
Jul 9, 2020 5 tweets 1 min read
Last year I provided expert testimony in Bonesteel v. Lambton Shores, which centered around online voting in the Ontario 2018 municipal election. Disappointingly, none of the technical arguments we presented were evidently considered in the decision 🤔
canlii.ca/t/j2t2j It's disappointing to see relevant technological arguments excluded from consideration in a case that fundamentally centers around the introduction of new technology, which the judge admits the applicants "distrusted and disapproved of."
Jun 26, 2020 4 tweets 1 min read
@MarkCoffin I saw the CBC article about NS not knowing which municipalities are doing online voting. We had an identical situation here in Ontario in 2018 and ended up having to compile the list manually ourselves. Importantly the online voting vendors would not share this information with us either. They did, however, make claims about how many cities (customers) they were working with, but in every case we found the numbers were overstated.
Jun 11, 2020 11 tweets 3 min read
I spoke to the House of Commons (@HoCCommittees) Procedures Committee (#PROC) today about how to do remote legislative voting in a safe, cyber-conscious way.
parlvu.parl.gc.ca/Harmony/en/Pow… Remote legislative voting is a way easier technical problem than online voting for general elections. Votes are a matter of public record, which means you can go back and check what was recorded, which means you can actually detect when things go wrong.
May 19, 2020 4 tweets 2 min read
"The number of (technical) briefings computer science subject matter experts submit to a Canadian Parliamentary committee is normally zero" via @papervote papervotecanada2.wordpress.com/2020/05/18/set… There are a few reasons for this. Unsurprisingly, technology people are more interested in tech than politics, and many wouldn't see the point of trying to reach across the divide. But in my experience, that street runs both ways.
May 3, 2020 4 tweets 3 min read
Contact tracing has come to Canada with #Alberta's new ABTraceTogether app. No source code, no technical details, no #privacy impact assessment, no #security risk assessment. Just an app and a lot of unverifiable privacy claims #COVID19Canada #cdnpoli
alberta.ca/ab-trace-toget… @YourAlberta says ABTraceTogether temporary IDs are encrypted. How? In cryptography, details matter. Like, SO much. Since the code's not publicly available maybe we could ask Alberta to ask their devs whether CTRL+F "ECB mode" produces any matches.
Mar 8, 2020 5 tweets 2 min read
Read this stunning letter by the Australian Dept of Health to @unimelb vice chancellor calling for @VTeagueAus to “cease work” on her research of re-identification risk of Australian patient data. righttoknow.org.au/request/6092/r… The ADH letter is remarkable for several reasons. First it calls on the senior university administration to intervene to “cease” a professor’s research study. Second it implies the university should review and potentially censor findings in a conference presentation.
Feb 24, 2020 4 tweets 2 min read
This is an important point, @cityofbarrie. Of the 177 cities using online voting in 2018 not one did an audit that identified the re-identification risk of using dates of birth as login credentials. @AMCTO_Policy Of the 43 municipalities whose voting platform went down on election night in 2018, more than one evidently had no backup plan. Audit didn’t catch that. See eg cbc.ca/news/canada/lo…
Feb 19, 2020 14 tweets 3 min read
On the steps of the New South Wales parliament with @VTeagueAus and Rajeev Gore after testifying to the Standing Committee on Electoral Matters about online voting in the 2019 #NSW state elections. Thanks to the MPs for their excellent questions. Here are a few points... Image Point #1: One of the honourable members asked about the nature of proof. Can you really ever know, for example, the moon landings happened? The good need is we don’t need to go so deep down the rabbit hole.
Dec 17, 2019 4 tweets 1 min read
So I tweet about the challenges of online voting and everyone responds about the challenges of machine-marked paper ballots. I'm totally sympathetic to the unique voting challenges you're dealing with in your state. But they're not really in the same league. Take voter-verification. With BMDs you have to remember all your selections and actually check them and actually report errors. You still have to do this in the online setting. But now add the technical hurdle of verifying what data your device actually sent to the server
Oct 9, 2019 4 tweets 2 min read
July: @SimplyVoting dismisses concerns over voter-side malware. “Its very difficult to develop ... a virus and have it infect enough computers to make any difference in the outcome.” October: judicial recounts over single-digit margins. 🤷‍♂️ @hilarybirdcbc cbc.ca/news/canada/no… Of course this claim was even a stretch at the time given the territory’s small population and history of narrow margins.
Sep 24, 2019 10 tweets 4 min read
Did you know a foreign-owned cloud provider has access to online votes on their way to the digital ballot box? When electors in Canada’s Northwest Territories vote online, their ballots pass through @Cloudflare servers and are briefly decrypted while in transit. We wrote a paper about this practice in Australia’s online elections. Now it’s happening in Canada. #nwt @hilarybirdcbc @DavidWasylciw @markeldo @VTeagueAus @chrisculnane @papervote
whisperlab.org/blog/2017/Trus…
Jun 24, 2019 4 tweets 2 min read
Doing a round of CBC radio interviews this afternoon talking about disinformation in the upcoming election. @UpNorthCBC @CBCHereandNow @CBCHomestretch @OnTheGoCBC @Mainstreethfx @CBCOnTheCoast The government is doing 3 things to fight disinformation in elections: coordinating their information sharing and response; working with social media companies; and, doing public awareness campaigns.
Jun 19, 2019 4 tweets 1 min read
"People are so focused on [foreign interference] right now, that they don’t consider the possibility that your election could be undermined by a simple loss of confidence in the process itself."
commondreams.org/views/2019/06/… "All you need is one candidate who will not concede losing. The online system says they lost, but they will not concede. And they are vocal on Twitter. And they have a whole army of people that they can rile up. And they say, 'Who says we lost? I say we didn’t lose.'"
Jun 16, 2019 6 tweets 1 min read
So you want to vote online. Ok. First run this thought experiment: you're a candidate. You just knocked on 1,000 doors and spent half your retirement savings. You lose badly, and totally unexpectedly. Everyone you meet on the street says they voted for you. Something doesn't add up but you can't put your finger on it. You decide to investigate. You email the company who ran the online system. They're polite, but won't give you any information. You email the election officials but they say they don't have access to that information.
Jun 12, 2019 4 tweets 2 min read
I’m at #AMCTO2019 in Huntsville this morning presenting findings from my upcoming report on the use of online voting in Ontario cities. We may be the largest global user of unregulated online voting, and that needs to change! @AMCTO_Policy @ElectionsON Online voting went offline for a million voters on election night due to a miscommunication, lack of disaster plans, and no apparent load testing. We must do better for 2022.