Election Cyber Security Challenges for Canada

Cet essai est disponible en français. 

he October 2019 federal election promises to be the first one in Canadian history where “election cyber security” will play a prominent role. Election cyber security can be understood as preventing digital interference with the main actors, institutions and processes of elections. A variety of different threats to Canadian elections, from hacking of political parties to misinformation spread on social media platforms to abuses of voter privacy to foreign interference, are all real risks in 2019. This essay outlines the major election cyber security issues facing Canada by focusing on three key actors — namely, political parties, election administrators and voters. It then analyzes the implications for cyber security of the changes imposed on federal election law by the Elections Modernization Act.¹

Political parties in Canada are now sophisticated digital operations. They often use the techniques of big data analytics in which sophisticated algorithms generate inferences about voters based on massive amounts of personal information, largely collected from online activities. While still relying on traditional practices such as knocking on doors, parties increasingly operate digitally and integrate voter data into their activities. All federal parties have voter databases that contain sensitive personal information about voters. This information is collected from a variety of sources and is used for fundraising, “get out the vote” efforts and policy development, among other activities. In addition to television and radio advertising, parties now advertise extensively online. This advertising is common on social media platforms and, in particular, on Facebook. Social media advertising allows parties to microtarget messages at particular subsets of voters. Voters may be segmented by postal code, employment or education, or by choices about car models, food, shopping or entertainment, based on the theory that these correlate with political preferences.

The shift of parties into the digital space has expanded the cyber risks that they face. The Communications Security Establishment (CSE) of Canada issued a report in 2017 highlighting the risk of foreign interference to Canadian elections, especially in light of the now well-proven instances of malicious activities in other democracies in recent years (CSE 2017). The CSE identified political parties as a weak point in election cyber security in Canada. Parties are private actors, with relatively scarce resources given their importance, and are often staffed by volunteers, especially at the riding level.

Political parties are increasingly vulnerable to hacking and present tempting targets for foreign actors. Digital interference with one of Canada’s main political parties would have widespread effects on the trust of Canadians in the electoral process and politics more generally. The hack of the Democratic National Committee in the United States around the time of the 2016 presidential election had negative consequences for American democracy. The passage of a Canadian version of the Magnitsky Act, a US statute that permits the US government to penalize foreign governments for human rights abuses, also potentially raises the likelihood of foreign interference by those state or non-state actors that may see sanctions imposed.²

Party leaders are at risk of impersonation online, if a hostile domestic or foreign entity seizes control of their Facebook page or Twitter account. The stakes involved in malicious impersonation of a party leader or a candidate are very high. Imagine, for example, the potential chaos that could ensue if a foreign entity seized the prime minister’s Twitter account.

This risk is quickly evolving as technology changes. The potential harm caused by impersonation is increasing due to “deep fake” technology in which audio and video recordings are manipulated to create extremely authentic-looking videos of political figures doing or saying damaging things. With the advent of deep fakes, it will be much harder for voters to discern the credibility of a news item or social media post. Voters may inadvertently credit false videos or may doubt the truth of videos that are in fact real, with negative repercussions for democratic debate.

Cyber security is also a key concern for Canada’s election administrators. Elections Canada is the non-partisan, independent body that administers federal elections, including managing polling stations, compiling results in ridings, conducting voter registration and so on. The Canadian Centre for Cyber Security’s National Cyber Threat Assessment 2018 identified public institutions as being at risk of digital interference given the data that they hold and their important roles (Canadian Centre for Cyber Security 2018). The risk of interference in election administration has led the United States to declare electoral institutions to be “critical infrastructure” (U.S. Election Assistance Commission 2018).

Canada’s maintenance of a traditional paper ballot system for federal elections instead of moving to e-voting has fortunately avoided many of the cyber-hacking risks posed by electronic voting machines and internet voting. It is now clear from the experiences of jurisdictions that switched to online voting that these systems cannot yet be secured to the degree of certainty needed for citizens to have trust in the outcome. Although online voting does occur in Canada, notably in some municipalities in Ontario, these races are less likely to generate the attention of hostile foreign powers. The incentives for interference in federal elections are much higher.

Even if Canada’s adherence to the paper ballot has reduced the cyber risk, other forms of digital interference are still a concern. Election administrators have databases that they use for voter registration, which are rich targets for hacking. The internal operations of election administrators such as Elections Canada could be subject to interference to disrupt their activities and to derail elections. Some administrators oversee networked polling stations, which creates some risk.

Like political parties, election administrators are also at risk of impersonation. The “robocalls” scandal in the 2011 election involved fraudulent automated telephone calls, including some purportedly from Elections Canada, which directed voters to the wrong polling station or gave them the incorrect election date. This incident highlights how online misinformation could be spread in future elections by a tactic of impersonating Elections Canada. Social media posts, Twitter feeds, banner advertisements or phishing emails purporting to be from Elections Canada all have the potential to be used by malicious actors to suppress voter turnout by sowing confusion. While the automated telephone calls wrought serious damage, the reach of such misinformation through these online mechanisms is potentially much wider.

The risks of misinformation and impersonation of election administrators have been augmented by the increasing use of messaging apps that are end-to-end encrypted, such as WhatsApp. While there are important social benefits for having messaging that is beyond the scrutiny of government, especially in authoritarian regimes, it also means that misleading or false election messages are hard to trace and correct in democracies. Such messages could include content that directs voters to the wrong polling station or gives them the wrong election date for the purposes of voter suppression. For example, in the 2018 presidential election in Brazil, WhatsApp played a crucial role in political advertising and the spread of political information, but also became a mechanism to spread false information and innuendo.³

No analysis of cyber security threats is complete without considering the impact on voters. The mass collection of information about voters by parties and campaign consultants lays the foundation for major risks to voter privacy. Voter privacy is particularly relevant with regard to political parties and social media platforms.

First, the privacy laws that apply to private and public sector actors do not apply to political parties, which creates huge potential for the misuse of sensitive personal information about voters.⁴ There is no compelling public policy rationale for why political parties should be exempt from robust privacy rules, as nearly every other significant public or private sector organization in Canadian society is subject to them. Voters should know that political parties are abiding by fair information principles, modified to account for other federal election laws, such as the mandatory disclosure of contributors. Fair information principles include accountability, consent and limits on the collection, use and disclosure of personal information. Currently, voters have no way of knowing whether the information that they have knowingly given to parties, or that the parties have collected from social media or private sources, is protected against third-party disclosures or has adequate safeguards, such as encryption. This information is at risk of cyber interference. In response to this problem, the House of Commons Standing Committee on Access to Information, Privacy and Ethics recommended in 2018 that political parties should be included as entities under the existing private sector privacy legislation (House of Commons Standing Committee on Access to Information, Privacy and Ethics 2018).

In our view, the privacy rules that apply to political parties should be tailored to the particular role and function of parties. For example, a “do not call list” that prevented political parties from contacting voters would be disastrous for democratic engagement and could undermine, rather than protect, democratic discourse. Democracy requires contact between parties and voters.

Second, voters’ privacy can also potentially be breached by social media platforms. Their business model is predicated on giving away services in exchange for personal data. The major platforms have been critiqued extensively for the manner in which they collect and disseminate data. This transmission of information about voters held by platforms to app developers, advertisers or other entities, especially if used for electoral purposes, raises serious risks to voter privacy. In the most notorious example implicating voter data from social media sites, the Cambridge Analytica scandal involved alleged improper third-party uses of Facebook data by campaign consultants, although Facebook disputes the extent.

The Elections Modernization Act of 2018 makes a host of changes to federal election law, including some important measures to improve cyber security.

First, social media platforms with a minimum number of users are required to keep a repository of all political advertisements run on their websites.⁵ This move offsets, to some extent, the influence of microtargeting. Microtargeted advertisements are only seen by the viewers to whom they are directed, and rules on disclosing the source are easier to evade online. There is, therefore, less public scrutiny of the content and the source than there would be with a traditional advertisement on television or radio. A mandatory repository of advertisements imposes transparency and facilitates public scrutiny of advertisements. This new legislative requirement will not prevent foreign-placed advertisements or domestic ones that otherwise breach campaign finance laws, but it increases oversight as the advertisements will be made available to the public, media and politicians to examine.

Second, the act also creates a host of offences that are directed at digital threats, including interfering with a computer.⁶ Social media platforms will not be permitted to take foreign advertisements communicated for the purpose of influencing an elector.⁷ The statute also creates new offences of impersonating a politician or Elections Canada.⁸

These offences are promising attempts to update the Elections Act to account for digital democracy and existing cyber threats. Yet, they collectively face some challenges, in particular around deterrence and enforcement. It is unlikely that new offences will deter foreign actors funded by a hostile government from hacking into the database of a political party or from placing misleading content on Facebook. Even if the wrongdoers can be identified, if they reside outside of Canada in hostile countries it is unlikely that they would ever be held accountable. It is also unclear whether the provision on impersonation will cover deep fakes.

Finally, the legislation will require political parties to have privacy policies that address specific issues but does not go so far as to grant voters an enforceable right to their personal information and does not give them a cause of action to combat privacy infringements.⁹ This tepid approach to regulating political parties and privacy is a significant missed opportunity, not only for privacy but for cyber security as well. Laws imposing stringent privacy protections would have the salutary indirect effect of requiring parties to strengthen their cyber security protections and would limit the collection of the massive amounts of personal data that underwrite data-driven electoral threats.