This is a summary of the paper presentation made by the authors at the World Association for Public Opinion Research (WAPOR) 66th Annual Conference held in Boston in mid-May. The paper examines the infrastructure of the online voting system used for the “PopVote 3.23 Civil Referendum”, focusing in particular the identity authentication, privacy and security issues involved. The findings are of interest not only to those developing online voting/survey technologies, but more broadly to the public opinion research field in terms of our understanding of how to engage respondents in a technology-driven world.
Background and Objectives
To echo with the 2012 Chief Executive (CE) election held on March 25, 2012, supposedly the last time a CE is elected by a 1,200-member Election Committee before universal suffrage is implemented in 2017, POP organized a mock civil referendum entitled “PopVote 3.23 Civil Referendum” on March 23 for the general public to express their support towards different candidates, with three objectives, namely, 1) to provide a multi-dimensional reference for the public and the election committee, 2) to construct a civil society by promoting civil participation, and 3) to demonstrate the electronic voting system.
The “PopVote 3.23 Civil Referendum” project was funded entirely by public donations. By design, all local citizens of age 18 or above were eligible to cast a vote on an electronic voting platform hosted by POP, via website or smartphone app, during 00:00 to 20:00, or in the designated territory-wide physical polling stations from 09:00 to 21:00 on March 23. The voting time was subsequently extended to 18:00 of the next day because of overwhelming response from the public as well as a system interruption in the middle of the event caused by vicious attack. Nevertheless, a total of 222,990 votes were collected at the end, with 38% from polling stations, 30% website, and 32% smartphone app. The result of the vote was 18% Leung Chun-ying, 11% Henry Tang, 16% Albert Ho, 55% Abstention, while the official CE Election result was 57% Leung Chun-ying, 24% Henry Tang, 6% Albert Ho. The event was widely covered by local and international media and received much more public attention than anticipated.
Six principles were adopted in designing this voting system, namely, availability, uniqueness, fairness, eligibility, privacy, and integrity. “Availability” refers to a functional system that would be available during the event period. Factors that could affect the availability of the system include power and network interruption, human faults and hacker attacks. As for “uniqueness”, the system should identify and prevent duplicate vote from any individual voter. Regarding “fairness”, the system should be able to prevent anyone from altering the database and thus the results. When it comes to “eligibility”, the system should be able to verify the identity of the voter. Concerning “privacy”, the system should ensure the ballot information and personal data submitted by the voters are well protected. Last but not least, “integrity” refers to the safeguarding of all data collected by the system.
In real terms, on “availability”, a cloud security service limited overseas network access and greatly mitigated DDoS attacks, while a remote backup server set up in the research team’s premises provided resilience to the system against system failure. As regards “uniqueness” or “identity authentication”, taking into consideration the pros and cons of a number of authentication methods, a combination of HKID number and mobile phone number was adopted for online authentication. To ensure “fairness”, the PopVote system automatically logged all data insertions and altering actions by authenticated users. As far as “eligibility” is concerned, while a flawless online identity identification system is yet to be developed, casting votes at physical polling stations using the HKID Card with photo could provide sufficient information for the polling station staff to verify the eligibility of each voter. Regarding “privacy”, personal identification numbers of the voters were only used to authenticate the individuals’ identities and check against multiple voting attempts to the system, and were converted into series of hashed codes. SSL certificate was installed to ensure the data transmissions were encrypted, and all hashed format of personal data was destroyed and removed from the system within one month after the voting event. As for “integrity”, the PopVote server was protected by firewall, intrusion prevention system, and cloud-based web protection services.
When it came to actual operation, suspected DDoS attacks were detected prior to the event day, which severely halted the network. Besides, attackers also tried other means such as sending emails with suspicious attachments to members of the research team and even hijacking their email accounts, where possible intentions might be to implant malware onto the research team’s machines or to steal important information including the system infrastructure design and other related data.
Seven hours after the voting commenced at midnight of the event day, the electronic voting system came to a complete halt due to some abnormal network traffic subsequently diagnosed by the IT experts in the research team.
After hours of investigating by IT security experts, four IP addresses were suspected to have directed Distributed Denial of Service (DDoS) attack to the voting system. The research team reported the case to the Hong Kong Police Force, two males were arrested and one of them subsequently pleaded guilty to the charge of attempted criminal damage.
Having reviewed the infrastructure of the electronic voting system, the authors would like to make some recommendations regarding the software, privacy, performance and uniqueness aspects of the system.
On software, it is recommended to use lightweight and efficient programming language to handle web requests, for example, Node.js. As for privacy, a random salt can be added to data before hashing to make it difficult to work out the original data by the hashed pattern, while iterating the hashing process a few more times will increase the difficulty of hacking. To ensure the performance, a fault-tolerant system can be deployed to continue serving a web page even when system failure, and to display the status of the server to the web visitors. Concerning uniqueness, the Government should promote the usage of e-certificate in order to prepare the public and service providers for the future when most voting, trading, and other official communication will be conducted via the Internet.
In spite of its mechanical failure, the PopVote 3.23 Civil Referendum has no doubt engaged the community heavily into discussing the 2012 CE election. Besides the near 230,000 people who had casted their votes in the civil referendum, hundreds of volunteers were also involved in different stages of the campaign including on-site works. The event inspired many social activists to use civil referendum as a means to press their demands. At the time of writing this paper, one such campaign is brewing, whereby the organizers would like to use civil referendum to mobilize the public into endorsing some popular proposals for the next CE election in 2017.
To conclude, the unique political environment of Hong Kong under the “one country, two systems” formulation has induced the development of political participation and public opinion expression beyond random sample surveys and direct elections. While the general public is considered to be mature enough for universal suffrage, they are not offered the right to elect the head of their own government. Under such circumstances, the “PopVote 3.23 Civil Referendum” provided a platform for the public to articulate their needs. When technology becomes more advanced, especially in the areas of identity authentication, privacy protection and availability, electronic voting in the form of civil referendums will become more and more important in Hong Kong. When this “Hong Kong experience” becomes mature, it may have significant impact on other not so democratic societies without universal suffrage and without official referendum. In a way, the electronic-based “PopVote 3.23 Civil Referendum” project has pioneered a revolutionary method in the collection and expression of public opinion in the Asian region, if not the whole world.