Background Notes
Electronic Voting
in Nova Scotia

Vote-by-telephone disaster in Nova Scotia

Daniel MacKay <>
Sun, 7 Jun 92 13:38:09 ADT

Well, I'm pretty close to the source, so I thought I'd write about it.

Some time ago, the Liberal party of the province decided they'd use a high-tech voting system, fairly simple in structure. They would contract with the local telco, Maritime Tel and Tel, to use a phone/computerized phone system so that people could vote from the main leadership convention here in Halifax or from regional rallies (where they had banks of phones installed) or from home using their touch-tone phones.

The method:

Voting was supposed to begin at 12:30, and take 90 minutes for the first round. If necessary, several voting rounds could be cast during the day.

Everything went wrong.

A chronology:

What went wrong? System-design-wise? Considering the PIN as a password -- each member knew only his -- there was no UID (member number) to PIN matching. So anyone who knew your PIN could vote on your behalf. So the problems of (a) PINs being rejected, and (b) voting twice could easily be explained as people making finger errors. If you made a mistake with your PIN, either you got someone else's number and voted for them, or you got rejected -- no way to tell. If you later went back and used your correct PIN after having used someone else's, why, that would look a lot like being able to vote twice. Users couldn't, of course, change their PINs.

Anyone with a programmable dialler could have voted for many, many Liberals if he knew the format of the PINs. Given the profoundly bad management we saw, I wouldn't be surprised to see them as six-digit numbers ranging from 100001 to 107290; there were 7289 registered voters. This prospect hasn't even been discussed yet in the local media.

There was no backup voting system for this, the inaugural use of the system. The telco convinced the Party there was no need for it -- the telco (the newspaper report says) reminded the Party that it handles hundreds of thousands of calls a day, and there was no possibility of the system failing.

Operationally, there was either a bug in the voting software, or it was incapable of handling the volume of traffic, causing it to fail to thank-you most of the time. And, of course, the kid with the scanner telling all just added icing to the cake.

It was not a great day for the telco, or for the Liberal Party. There hasn't been any discussion of responsibility, but there sure will be next week! The convention cost hundreds of thousands of dollars, and it was entirely a wasted effort.

Daniel MacKay, NOC Manager,
NSTN Operations Centre, Dalhousie University,
Halifax, Nova Scotia, Canada <> 902-494-NSTN

[The METHODS paragraph above was lightly edited by PGN for clarity.]
[This case was also reported by Richard Taylor of AECB, Aidan Evans <AE@AC.DAL.CA>, and
<parnas@triose.eng.McMaster.CA> (Dave Parnas).]
[Another example of a case for public key encryption? PGN]

[ Risks Digest Volume 13, Issue 56, 9 June 1992]

[ICS comment: PIN is an acronym for Personal Identification Number. PINs are usually chosen at random by an independent authority, and throughout the process of selection and issuing the PINs special care is -- or should be -- exercised to minimize the possibility of leakage of PINs to other than the individual for whom each is destined. The random selection algorithm should be designed using care to avoid any pattern that could be used by anyone who has one PIN to calculate, or to guess with some chance of success, any other PIN for the particular event. The worst case scenario is when a group of PINs consists of a series of consecutive numbers; nearly as bad is when a list of PINs is selected by a simple mathematical method, such as consecutive multiples of 7, or of any other number. There is a considerable literature on how PINs can be selected to minimize the opportunity for someone with a few genuine PINs to be able to improve, beyond purely random chance, their ability to figure other PINs within the same event. It is by no means a simple matter. We have no information on what method MT&T used to generate the PINs for this vote-by-phone exercise. As far as I know (and I followed this story closely at the time) the method of PIN selection was never mentioned in the local media.]

Phone-in Voting in Nova Scotia

Mon Jun 8 13:46:17 -0800 1992

[Richard included extracts from a Canadian Press article by Alan Jeffers in The Ottawa Citizen, Sunday, June 7, 1992, not included here, along with the following comment:]

Again on CBC Radio this morning: there is now talk about having to run the entire campaign over again since the candidates who were listed as faring badly in the cellular telephone message are protesting that this disadvantages them in a new polling. A second campaign would severely drain the resources of the party and would put them at a disadvantage in subsequent elections. RPT

Richard P. Taylor, Ottawa, Canada.

[ Risks Digest Volume 13, Issue 56, 9 June 1992]

Update on Vote-By-Telephone Disaster
in Nova Scotia

Daniel MacKay <>
Mon, 15 Jun 92 10:27:45 ADT

This is a follow-up on the huge local vote-by-phone fiasco. In RISKS-13.56 I wrote about the vote-by-phone system contracted from the telco by the Liberal Party for their leadership convention, following Murphy's Law.

On June 8th, the telco held meetings with the Liberal Party, and with the media. As always, there's a little second guessing to do about what the press releases mean. Here's what they say:

The first part of the system had a dead-session detection function, to keep people from tying up phone lines. However, when the second part of the system started to slow down [transactions queued up? -dm] the first module hung up before the second part issued an acknowledgement.

Also, the telco says when voting was restarted, "some rogue information stayed in the system, causing some voters to be rejected." [They didn't reset the who-had-voted list, perhaps? -dm]. On the day of the fiasco, the telco initially blamed the problem on a missing line of code in the software, but they say now that that was a mistake. The problem of people being able to vote twice hasn't been mentioned.

The telco says the Liberal Party won't be charged for the services rendered on Saturday. [Like the power utility burning down your house with a million volts by accident, and saying ``Don't worry, you won't be billed for the electricity.'' -dm]

150 telco employees were recruited to test the system, [compared to 8000 voters in the real system! -dm] on Thursday the 11th, and it apparently worked. The telco reduced the number of incoming lines to cut down on system load.

The Liberal Party has decided to have another go at the vote-by-telephone system in a few days, but there won't be another convention. The telco will be posting a 350,000$Cdn performance bond on the system, and there will be a paper-ballot backup system on hand.

Some candidates have asked the telco for partial reimbursements of their campaign costs on the basis that disclosure of the numbers (leaked via the kid with the scanner listening to the cellular conversations) have destroyed their chances of winning. The telco claims that the numbers leaked (numbers of calls recorded to each of the candidate's phone number) bear no relationship to the number of votes that had been collected or would have been collected.

Daniel MacKay, NOC Manager,
NSTN Operations Centre, Dalhousie University,
Halifax, Nova Scotia, Canada 902-494-NSTN

[ Risks Digest Volume 13, Issue 58, 15 June 1992]

World's First Voting by Phone
June 20 in Nova Scotia

Evan Ravitz <>
Tue, 7 Jul 92 23:27:36 -0600

After an initial failure on June 6, the Liberal Party of Nova Scotia held a primary June 20 to elect its next leader: 94% of the 7416 delegates voted, all with touch-tone phones. Typical turnout for Canadian elections is 60-70%.

The Liberals were issued Personal Identification Numbers (PINs) by mail. For each of 2 ballots, voters called one of five 900 numbers corresponding to their choice of leader, and then keyed in their "PIN number". The computer then checked their number off so they couldn't vote again. John Savage won on the second ballot with almost 53% of the vote.

The service was provided by Maritime Telephone & Telegraph and cost each voter 50 cents. The eight-digit PIN numbers enabled one to vote from any billable touch-tone phone: if you didn't have touch- tone, you'd borrow your neighbour's. Absentee voting was as simple as picking up the phone, wherever you were.

With this success, the Canadian government is considering a national referendum by phone on the results of their Constitutional Convention, within 6 months.

The Federal Voter Assistance Program of the Pentagon is now considering voting by phone for servicemen, who had voting by fax from the Persian Gulf. But a $300 fax machine is overkill when a $10 touch-tone phone will do. The Program called the Voting by Phone Foundation of Boulder for their initial information.

The Voting by Phone Foundation is now in a petition drive to put a charter amendment on November's Boulder City ballot. If passed Boulder would become the first city in the U.S. to offer the option of phone voting. Please call [Evan at] (303)444-3596 to help.

The Foundation is holding a demonstration of voting by phone from now until the November 3rd election. Anyone may call (303)444-3596, 24 hours a day. If you are registered to vote in Boulder, you will be asked to enter your last name and birth date for identification. This limits you to one vote, although not as effectively as the random PIN number to be used for real elections. A different question will be asked every 2 weeks, and presidential [... rest lost in transmission (truncated by Evan's mailer?)]

[ Risks Digest Volume 13, Issue 63, 8 July 1992]

The Risks Digest:
Forum on Risks to the Public in Computers and Related Systems
ACM Committee on Computers and Public Policy
Association for Computing Machinery

Return To Page: History Index
Return To Home Page

Latest revision: 1997 November 22