No tracking. No cookies
Subscriptions
Subscriptions
‘How Will We Know Putin hasn’t Picked the Most Disruptive Candidate?’
Security experts and democracy campaigners raise fears over a wild west Conservative leadership election if it goes to members, reports Josiah Mortimer
At 11 am next Friday, the UK could have a new Prime Minister picked by 180,000 Conservative members – in what will effectively be the UK’s first election of the position via an online ballot.
The scenario depends on whether the vote goes to party members on Monday 24 October, if one of the final two candidates whittled down by MPs does not drop out over the weekend. But serious concerns hang over the integrity of an “expedited” process that is almost totally unregulated.
The unscrutinised process flies in the face of the Government’s rejection of online balloting elsewhere. In July, the Telegraph reported that then Business Secretary Kwasi Kwarteng had “killed off” plans to allow unions to hold electronic votes on strike action, over fears they could be manipulated by “ill-intentioned” states. The next month, Conservative members voted to elect Liz Truss as Conservative Party leader – with tens of thousands voting online.
Once again, party members – among them foreign residents part of ‘Conservatives Abroad’ – will vote again. However, this time it will be solely online, triggering major concerns from security experts Byline Times spoke to.
Bitter Experience
Professor Steven J. Murdoch, head of the UCL Information Security Research Group, was an election monitor during the 2007 trials of electronic voting in the UK. The trials were not adopted for national elections over fears they could be manipulated and would foster mistrust in the entire electoral system.
After the trials, the Open Rights Group wrote that “no methods or opportunities were provided for candidates, agents or observers to verify the security and accuracy of the software used nor the results the software produced”.
“Despite some basic attempts at providing receipts, there was nothing to ensure that voters’ intentions had accurately been recorded or counted as intended,” it said. “Whilst ORG believes that error is more likely than fraud, ORG is unable to rule either out due to its inability to observe any of the crucial parts of the e-voting elections conducted”.
The same appears to be happening again with the Conservative leadership election, Prof Murdoch suggests. “Online voting is still a bad idea for anything high stakes – like choosing a prime minister,” he said.
“The internet is not secure enough for elections. The biggest reason is it’s relatively easy to selectively disenfranchise people. You can cause their computer to fail, or cause them to think they’ve voted when they haven’t. The computers themselves are not secure.”
Concern Over Foreign InterferenceAnd Conservative Membership Rules
It appears as though there is very little preventing malign foreign actors from swaying Tory leadership contests, reports Sam Bright
There are two things unique to online voting, unlike for example, using online banking – the inability to undo the action, and the anonymity.
“If someone steals your money, you can put it back,” Prof Murdoch noted. “If someone steals your country, you can’t. Paying money is not meant to be anonymous – banks need to track where money flows. For elections, that’s precisely what you do not want to happen. You want to never know who voted for who. That makes it harder to undo damage or identify misbehaviour… Experts are almost universal – the internet is not ready for fully online elections and might never be.”
In 2007, the Electoral Commission said that the trials of electronic voting were held fairly. But there were so many risks identified that it was considered unacceptable for future elections.
“An election is not to find out who got the most votes, it’s to convince everyone it’s legitimate,” Prof Murdoch added. “Even if nothing bad happens, you don’t need to choose the winner but convince the loser that they’ve lost.”
Music to Putin’s Ears
Asked if he thought the Conservative Party’s online members’ ballot could be fully safe and secure, cybersecurity expert Professor Ian Brown, formerly principal scientific officer at the Department for Culture, Media and Sport, put it simply: “No.”
“No such high-stakes election, facing such a serious potential threat from Russia and other sophisticated UK adversaries, can possibly be run securely online,” the visiting professor at the Centre for Technology and Society at Brazil’s RGV university told Byline Times. “Let alone one put together in a week.”
There are plenty of possibilities for interference, according to Prof Murdoch: “Causing the election to fail is feasible. So is creating a sense of something bad happening – then releasing this fact months after and causing chaos”.
Another target could be the Conservative Party membership database. “I don’t know how the Conservative Party checks its membership database – certainly it’s less rigorous than the electoral roll,” he said. “Technically, [the party] is just there to ensure they get the fees they request to get paid. They’re probably good enough at that. I don’t know if it will be good enough for picking a prime minister.”
If someone steals your money, you can put it back. If someone steals your country, you can’t
Professor Steven J. Murdoch
Andrew Ker, of the Security Research Group at the University of Oxford, said that while no form of voting is fully secure, “the more people know about online voting the less they like it”.
“The risk is that the whole process could be disrupted,” he told Byline Times. “The website collecting the votes gets hit with a denial of service attack. It is hard to mitigate against that. It doesn’t affect the results, and everyone knows. But you’ve stopped everyone voting. That’s a real concern if you don’t have some back-up.
“Suppose most of the voting went fine and, in the last six hours, the server went down. There would be speculation it would have changed the election. Malicious state actors have quite a lot of power to do DDOS” – ‘denial of service attacks’ that see servers overloaded with traffic to shut them down. “If the voting system falls down at the beginning, it doesn’t matter. But one at the last minute is a real problem. The internet is not very robust.”
Another target, given election firms’ robust defences, is members’ emails. “Even hitting 10% could be enough to disrupt the election,” he added. “But at least most people would know it happened. The real insidious thing would be where the count of the vote was faked”.
That aspect worries cybersecurity experts the most.
“How do you prevent people from altering the result?” Ker said. “With voting, an audit trail is incredibly difficult. You want to maintain the anonymity of the vote. But anonymity and auditability are almost incompatible. I hope their database is properly audited to detect such changes. I bet they aren’t.”
The situation is “quite scary”, he noted.
ENJOYING THIS ARTICLE? HELP US TO PRODUCE MORE
Receive the monthly Byline Times newspaper and help to support fearless, independent journalism that breaks stories, shapes the agenda and holds power to account.
We’re not funded by a billionaire oligarch or an offshore hedge-fund. We rely on our readers to fund our journalism. If you like what we do, please subscribe.
It is a concern echoed by Labour MP and democracy campaigner Clive Lewis who told Byline Times: “I only have to listen to the fact that GCHQ has stated they’re worried about interference… Our relationship with Russia has, if anything, got worse since the last leadership election. We are still supporting Ukraine – and they’re still in a conflict with Russia…
“Is the election secure? Will we have confidence the morning after that the person chosen isn’t the one chosen by Putin the most disruptive prime minister? If GCHQ is raising questions it’s something we have to ask.”
Checks and Balances
Hostile actors would be limited in the extent of their interference as just two candidates deemed acceptable by more than 100 MPs are going to go to Conservative members, under internal party rules. But states like China and Russia could sow doubt in the legitimacy of the new government if they even suggested that the had the potential to interfere in the vote.
GCHQ – which expressed fears over the integrity of how the online ballot was held in the last leadership election, triggering a change to the process – has some involvement in giving security advice to the party. But it is unclear how far this extends.
“I’m not aware of any rules on how the Conservatives ensure security in this race,” Prof Murdoch said. “The Electoral Commission manages elections to Parliament, not internal parties… It’s all at the whim of internal rules. There will be advice from the National Cyber Security Council [part of GCHQ]. Whether they follow that, is up to them.”
It has also emerged that there is no independent body formally supervising ballots of Conservative members, as Tortoise Media revealed that there was a “painfully long pause on the phone” when the question was put to a senior Tory official after the outlet exposed security weaknesses.
Those weaknesses included a pet tortoise named Archie and two foreign nationals securing a ballot in the last leadership election just weeks ago. The publication is now proceeding with a judicial review of how the Conservatives elect their leaders.
Difficult to Regulate
Professor Alison Young, Professor of Public Law at Cambridge University, told Byline Times that “given recent events, there are a lot of concerns not just as to the security of this process, but also its democratic credentials, particularly when there is a split between the wishes of the party members and MPs and a large shift in policy mid-way through a parliamentary term with no democratic mandate”.
“But the process of electing a leader is for each political party to determine for themselves – and any legal regulation would have to be careful of not interfering with the principles of freedom of association which may also harm the democratic process,” she said.
Tim Sharp, senior employment rights officer at the Trades Union Congress, called it “rank hypocrisy” and “absurd” to stop union members from voting electronically when the Conservative Party does. “The Tories are fine with using it to select their leaders,” he said. “But they won’t give nurses, teachers and millions of other workers the option of voting online during ballots.”
A spokesperson for the National Cyber Security Council told Byline Times: “Defending UK democratic and electoral processes is a priority for the NCSC and we work closely with all parliamentary political parties, local authorities and MPs to provide cyber security guidance and support. As the UK’s national technical authority for cyber security, we continue to provide advice to the Conservative Party, including on security considerations for online leadership voting.”
They would not go into further details about the level of their involvement or how security would be ensured in the online vote.
Few countries use internet voting for high-stakes elections due to the near consensus among security experts about the potential risks to electoral integrity and public trust. Britain will soon learn whether the public trusts the results if our next prime minister is chosen by a members’ ballot.
The Conservative Party was contacted for comment.
Josiah Mortimer is a political journalist based in South London, who writes regularly for Byline Times about democracy, unions, and human rights.