Yogi.Berra.jpg

[Image courtesy of TVRage]

As Opening Day approaches, I’m always looking or an excuse to quote Yogi Berra and this is the perfect opportunity … plus it’s a better picture than an Internet voting terminal!

Over the weekend, Canada’s New Democrats (NDP) conducted a vote for a new leader. The vote was conducted online so that registered party members could vote both in person at the NDP convention site and remotely from home computers or smartphones.

Sometime during the second round of voting, the system slowed considerably, and eventually it became known that the system had likely been the target of a “denial of service” (DoS) attack aimed at clogging the the system and thus preventing (or at least discouraging) voters from casting ballots. The NDP, its vendor and consultants have identified two IP addresses that appear to have been the source of the attack and are investigating now.

The results of that investigation are still forthcoming, but in the meantime I wanted to focus on a discussion I saw online yesterday about whether and how NDP and its vendor should have prepared for the possibility of a DoS attack.

One point of view likened a DoS attack to bad weather on Election Day – an event that could hinder voters and which election officials know is possible, but are essentially powerless to predict or prevent. This point of view suggests that DoS events should be subject to the contractual doctrine of force majeure (aka “acts of God”) like weather or natural disasters that are often used to explain and excuse non-performance under a contract.

The other, contrary view was that while the DoS attack itself was outside the control of the NDP and its vendor, the fact that their system was susceptible to such an attack is something that should have been taken into account in advance. Given that a similar attack in the “real world” would require hundreds or thousands of voters to show up simultaneously at polling places and deliberately slow down the system – an enterprise that (unlike an online attack) would create huge numbers of co-conspirators and potential prosecution witnesses who could help uncover and punish the perpetrators.

I confess I’m far more sympathetic to the latter view. While I firmly believe there are some things (like turnout) that are completely outside the control of election officials, the choice of voting system – and the accompanying risk of bad acts – brings with it a responsibility to consider the “threat model” that accompanies that choice.

After all, Yogi Berra’s observation is funny because it’s true … crowds can make anything unpopular. Knowing that – and hardening any system against “bad guys” using crowds to hinder voting – is something that election officials should do regardless of what voting system they employ.