Jazz MA, Frank LEE, and Robert CHUNG
Public Opinion Programme, The University of Hong Kong
This is a summary of the paper presentation made by the authors at the Asian Network for Public Opinion Research (ANPOR) Annual Conference 2014 held in Niigata, Japan on 30 November 2014.
PopVote is an electronic voting system developed by the Public Opinion Programme at The University of Hong Kong (HKUPOP), as a new form of public opinion expression in the digital era. Three voting channels are available on this system, namely, mobile applications, a dedicated website and physical polling stations. Every channel allows electronic voting, while voters can also choose paper ballots at physical polling stations. Since 2012, this system has been put into practice for three civil referendums of various scales in Hong Kong, the most recent one being conducted in June 2014 on Hong Kong’s constitutional development, and over 800 thousand votes were cast by qualified voters. The system has now evolved into a sophisticated and mature so-called “enterprise grade system”. This paper describes the objectives and importance of electronic voting and civil referendums in developing civic societies, examines how this PopVote system is designed to identify the voter online, to receive tremendous number of votes, to securely encrypt and store sensitive data, to operate physical polling stations designed for electronic voting, and to withstand from cyber attacks of different types and scales. Apart from the system design, the authors will also share their experience in organizing large-scale voting events in Hong Kong.
Keywords: Electronic voting, Civil Referendums, Cyber attacks, Online polling, PopVote
What is Electronic Voting
All official elections in Hong Kong are using paper ballots, which is a low-tech approach amidst countless smartphone users. The objective of developing an electronic voting is to provide a convenient and secure way for the voters to cast their votes through an electronic medium while allowing the organizer to conduct vote counting in an accurate and efficient manner.
Electronic voting relies on a robust electronic voting system. In 2013, the Public Opinion Programme (POP) of The University of Hong Kong formed a group of 11 professionals from the information technology industry to work out an electronic voting system to be introduced to Hong Kong.
Up to this date, three large-scale civil referendums with electronic voting have been run by POP, separately in March 2012, Jan 2014 and June 2014. The numbers of voters were over 230 thousand, 60 thousand and near 800 thousand respectively. The one held on 22 June 2014 was named as “6.22 Civil Referendum” and will be discussed in this paper.
Background of Civil Referendum
The Hong Kong Basic Law delineates the requirements for electing the Chief Executive for the city. Yet, what form of universal suffrage would be set and how it is executed in Hong Kong has been a long debate for over 20 years. Under this setting, the latest round of public consultation on political reform was conducted by the Hong Kong government for a period of six months from December 2013 to May 2014. Before the consultation kicked off, a group from civil society called Occupy Central with Love and Peace (OCLP) stated that it would campaign for universal suffrage through dialogue, deliberation, civil referendum and civil disobedience (via “occupying” the Central District of Hong Kong); it also demanded that the political reform proposal put up by government should satisfy the "international standards" in relation to universal suffrage, meaning equal number of vote for each voter, equal weight for each vote and no unreasonable restrictions on the right to stand for election, and the final proposal for the electoral reform to be decided by means of democratic process.
In early 2014, OCLP commissioned POP to run a civil referendum on three proposals – all of which involve allowing citizens to directly nominate candidates – to be presented to the Beijing government. It ran from 20 to 29 June 2014. The two referendum motions were: "For CE Election 2017, I support OCLP to submit this proposal to the Government: 1. Alliance for True Democracy Proposal, 2. People Power Proposal, 3. Students Proposal, or Abstention" (Motion 1) and "If the government proposal cannot satisfy international standards allowing genuine choices by electors, the Legislative Council (LegCo) should veto it, my stance is: LegCo should veto, LegCo should not veto, or abstain" (Motion 2).
Voting channels and period
The electronic voting system designed allowed for three different voting channels, namely mobile applications, a dedicated website and physical polling stations. Both mobile applications and dedicated website were defined as off-site voting and relied on the Internet connection to the voting system. With these off-site voting channels, voters were not required to go to any physical polling station to cast their votes, all they needed to do was to simply use a handheld smartphone device to load the mobile application or open the dedicated voting website on a computer to complete the whole voting procedures. The physical polling station was defined as on-site voting channel, to provide an alternative for those who did not have any electronic devices or would only trust a physical way of voting.
In the 6.22 Civil Referendum, all the three voting channels were made available for the public and 15 physical polling stations were set in different areas in Hong Kong. Apart from the actual voting, a mock voting and pre-registration were conducted beforehand, from 13 June 2014 to 18 June 2014. During that period, voters were able to test the voting environment of the mobile applications and voting website. Once the voters were qualified by the Short Message Service (SMS) verification system, they were defined as having “pre-registered” and further SMS verification was no longer required at the actual voting. However, because the electronic voting system was under severe attack during the mock voting and pre-registration period, it was decided to extend the actual voting period. The original plan of voting period was changed as follow: 1) the mobile application and website voting channels for three days (20 to 22 June 2014) was extended to ten days (till 29 June 2014), and 2) the physical polling stations for one day on 22 June 2014 was also extended to 29 June 2014. Although the voting period was finally extended from 3 days to 10 days and the number of polling stations was increased from 15 to 21, the voting system itself and the data integrity did not change. And for the operation of the physical polling stations, altogether more than 300 helpers were involved to help out with the registration, voting, security and crowd control at the physical polling stations.
From the voter’s perspective, they were allowed to either download a mobile application branded as “PopVote” from Apple App Store or Google Play Store, or go to the voting website https://secure.popvote.hk to cast a vote. Apart from this, the system infrastructure was deployed on a cloud service provider Amazon Web Services and protected by a protection service provider Cloudflare. The system infrastructure was designed to be scalable and could handle massive concurrent traffic by making use of the Elastic Load Balancer for distributing the traffic, CloudFront for content delivery networks, and ElasticCache for a high speed key-value store. On the software side, there were queue ticketing sub-system to queue up surge traffic, hashing algorithm to secure the personal data, and long polling SMS verification sub-system to verify the SMS in real-time.
There was a real-time turnout update feature implemented on the project website https://popvote.hk. During the mock voting and pre-registration period, there were about 30 thousand people participated even though the cyber attack had greatly hindered the connection speed. On the first day (June 20) of actual voting via mobile applications and website, there were already more than 380 thousand votes received. In other words, there were about 35 thousand votes came into the voting system per hour on average.
For off-site voting, voters were required to download the mobile application or access the voting website. The voting system was available in both languages of Traditional Chinese and English. Voters could select which language they prefer, then prompted with the terms of using the voting system and a privacy statement. They were then asked to submit a unique Hong Kong Identity Card number and a unique mobile phone number for identity verification. After that, the voter had to go through an SMS verification step before entering a ballot screen to cast a vote. SMS verification was required to verify one's identity online, since SMS is a common messaging method to prove the ownership of a mobile phone number. Once submitted, the personal data would be transformed into irreversible hash values and the ballot would be encrypted until all votes have been counted.
For on-site voting, physical polling stations were set up for the voters. About 20 to 40 station helpers were assigned in the operation of each physical polling station. Although this was a physical polling station, the actual method used for voting was still an electronic way. About 10 to 30 mobile tablet devices were set at the venue for receiving votes. The voters were required to present his/her Hong Kong Identity Card to the station helper, who would then enter the full card number to the system. Once the cardholder and card number have passed the verification check, the voter would be allowed to vote on another tablet device customized for voting. As slightly different from the off-site voting, the data were hashed and encrypted at the station level by the station server. When Internet connection was available, the station server would upload the data to the central server. With this feature, the operation of physical polling station did not require to rely on the Internet connection during the whole voting period.
Public Key Infrastructure (PKI) was used to secure the submitted ballot data. Thus, all the submitted ballot data were encrypted with a pre-defined public key before they were stored on to the database. Once the voting hours ended, electronic vote counting was arranged to decrypt the ballot and remove repeated votes. To increase the security level, the private key (decryption key) was not held by the operator of the voting system, it was actually held by three non-technical individuals from the day the key was generated, while each of them would only hold a certain portion of the key. In order to activate the vote counting process, any two of the three keys were required to be plugged into the system. The beauty of this design is to provide redundancy in case any one key or person is missing at the end.
The electronic vote counting took around 5 minutes to complete the calculations of over 800 thousand votes, and displayed the results on a web portal simultaneously.
A destructive attack came in since the second day of the mock voting and pre-registration period. The access to the voting system was completely slowed down due to a huge amount of Domain Name System (DNS) enquiries from different sources. In other words, real voters found it difficult to resolve the voting system’s domain name in order to access to the system server. Since the primary DNS provider Cloudflare did not expect such a large attack, its service had become unstable. For this reason, a secondary DNS provider AWS Route 53 was added to serve the domain resolution. However, after keeping the service running for one day, the usage of the second DNS provider amounted to be 100 billion DNS enquires, which was unbelievable. The service was then removed from being charged by the DNS enquires made by the attackers.
Apart from the Distributed Denial of Services (DDoS) attack on the DNS providers, a local company was originally committed to protect the infrastructure of voting system and was attacked near the same period. The protection service was planned to filter out all the unnecessary and overseas traffic before letting the traffic to reach the system infrastructure. It was then attacked by a massive 10Gbps SYN flood continuously and highly affected the operation of the local company. Therefore, the local company decided to stop providing service to the PopVote system.
Since the attack was huge, a giant Internet company Google was invited to provide assistance to mitigate the attack. At the same time, Cloudflare enrolled HKUPOP to its Galileo Project, which could offer full DDoS protection for free. While both parties were working on the protection hardware, it was decided to keep Cloudflare as the primary DNS and protection service provider to fight against the attack. Throughout the voting period, many different types of cyber attacks were received against HKUPOP and Cloudflare. including suspicious access to HKUPOP staff intranet account and application development account, phishing websites, malicious calls to general hotline, and fake email asking for usage reports.
Although the attack was huge and had completely taken down the access to the voting system during the mock voting period, the data collected was entirely safe. The voting system was designed to use a proprietary algorithm to hash all the personal data and perform encryption to sensitive data before storing onto the database. Fortunately, none of the attacks seriously affected the operation during the actual voting period, and the voting system successfully received more than 900 thousand SMS verification requests and 800 thousand votes at the end.
Impact of the 6.22 Civil Referendum
After the 10-day voting, a historical record of 792,808 people, equivalent to a fifth of the registered electorate of overall population in Hong Kong, took part by either voting online or attending designated physical polling stations. As a result of the voting, the proposal tabled by the Alliance for True Democracy won the unofficial "referendum" by securing 331,427 votes, or 42.1% of the 787,767 valid ballots. The proposal put forward by students came second with 302,567 votes (38.4%), followed by a People Power's proposal, which clinched 81,588 votes (10.4%). All three called for the public to be allowed to nominate candidates for the 2017 Chief Executive election, an idea repeatedly dismissed by Beijing as inconsistent with the Basic Law. As regards the second motion, an overwhelming majority of 691,972 voters (87.8%) agreed that the Legislative Council should veto any reform proposal put forward by the government if it failed to meet international standards, compared with 7.5% who disagreed.
The unofficial "referendum" infuriated Beijing and prompted a flurry of vitriolic editorials, preparatory police exercises and cyber-attacks. Mainland officials and newspapers called the civil referendum "illegal" while many condemned the act of so-called Occupy Central, claiming it was motivated by foreign "anti-China forces" and would damage Hong Kong's standing as a financial capital. The state-run Global Times mocked the referendum as an "illegal farce" and "a joke". Hong Kong's Chief Executive, Leung Chun-Ying, also commented on the civil referendum by saying "nobody should place Hong Kong people in confrontation with mainland Chinese citizens." Apparently, the pro-establishment camp was not satisfied with the outcome of this activity in the civil society which aroused so much public attention. Subsequently, the Alliance for Peace and Democracy was established to counter the Occupy Central movement, and it launched a month-long signature campaign from July to August 2014 for people who oppose the Occupy Central Movement. The campaign claimed it had collected over a million signatures supporting the campaign, although questions were raised over credibility of the number of signatures collected. Despite the Alliance's efforts, the Occupy Central movement commenced officially on 27 September 2014, which was also known as the famous “Umbrella Movement” in Hong Kong.
By looking at the tremendous number of voters who participated in this 6.22 Civil Referendum, electronic voting is undoubtedly gaining people’s trust and will become the future trend for a civic society to collect public opinions. The strengths and weaknesses of the electronic voting system have already been revealed after the three civil referendums of different scales. Those weak points are yet to be resolved with more advanced technology and cooperation with the commercial parties and the government. Technology keeps changing this world.