Two cybersecurity experts who hacked into the last NSW election voting system have raised security concerns about next month’s poll.
When NSW goes to the polls on 23 March, hundreds of thousands of voters will skip the queues, dodge the how-to-vote-cards and miss the sausage sizzle - trading in their pencil and paper to vote online, at home, instead.
The iVote system is being rolled out for the state's third election running and it is expected more people than ever will use it vote from home early or on the day of the poll.
But two cybersecurity experts who managed to hack into the 2015 iVote system have questioned the safety and security of this year’s online voting platform.
Vanessa Teague from Melbourne University’s School of Computing and Information Systems says the online voting portal could be vulnerable to attack.
“There is a concern that electronic votes could be exposed, and there is also a concern that software bugs or security problems or direct manipulation could cause the answers to be different to what the voters wanted,” the associate professor told SBS News.
To be eligible to register for iVote, voters must live more than 20 kilometres from a voting centre, be blind or have low vision, have difficulty voting due to a disability, or be interstate or overseas on election day.
Almost 284,000 people voted online in the 2015 NSW election, up from 47,000 in 2011 when the project was first run.
The NSW Electoral Commission is expecting the number of iVote users to rise to 500,000 in next month’s poll.
Anyone who qualifies can vote online with registration opening on 11 February and closing on 23 March.
In 2015, Professor Teague and her Melbourne University colleague Chris Culnane exposed a major security hole in the online voting platform that could have allowed hackers to manipulate the votes without users knowing.
After alerting government agencies to the potential breach, the security concern was resolved.
But Dr Culnane says there are still too many risks and uncontrollable factors in any online voting project.
“Whilst convenience [of voting] is definitely an attribute we should strive towards, it shouldn’t be the primary attribute. The primary one should be the security and verifiability of that vote,” he said.
Whilst convenience is definitely an attribute we should strive towards, it shouldn’t be the primary one.
- Chris Culnane, Cybersecurity expert
Several other countries have run partial online voting systems at elections and referendums including New Zealand, Canada, France, Estonia, and Switzerland.
In the United States, Russia’s efforts to meddle in the 2016 presidential election have been the ongoing subject of multiple investigations.
Last year the NSW Electoral Commission ordered an independent review of the iVote service which found while there were risks, they weren’t great enough to stop the platform going ahead.
The review also recommended establishing a nationwide coordinated online voting effort between all state electoral commissions and the federal electoral commission.
Currently, only NSW and Western Australia have home-computer-based online voting platforms. Online voting won't be available at the upcoming federal election.
The NSW Electoral Commission told SBS News in a statement it “assesses the risks of all the voting channels it provides, both paper-based and electronic”.
“While acknowledging that it is not possible to eliminate all risks in any voting channel, the NSW Electoral Commission is confident in the safety and security of the iVote online voting system.”
Director of the University of Western Australia Centre for Software Practice David Glance, an expert in online data collection, told SBS News he believed the benefits of online voting outweighed the risks.
“Clearly there needs to be a lot of oversight and transparency in this whole process, but it is not beyond the government in being able to do this,” he said.
The NSW election is expected to be a particularly close fought battle between Liberal premier Gladys Berejiklian and Labor leader Michael Daley.
But Ms Teague says in the age of cyber attacks and with only a small number of votes needed to swing the result in a close election, it wasn’t worth the risk of going digital.
“In a paper count, if the papers are looked after, you can always go back in the case of a dispute and check whether there has been an error or not,” she said.
“Because of the combination of possibly international attackers, possibly local attackers, possibly software bugs and possibly just incompetence and mistakes … it shouldn’t run.”