Support 100 years of independent journalism.

  1. Politics
  2. UK Politics
21 October 2022

The Conservatives cannot guarantee the security of their leadership election

Experts say an online poll to elect a head of government, implemented in less than a week, cannot be secure or transparent.

By Oscar Williams

Britain’s next prime minister could be chosen next week using unproved and controversial technology, which security experts have told the New Statesman is not transparent or robust enough to guarantee the security of the process.

Rules drawn up by the 1922 committee mean that if at least two candidates receive more than 100 MP nominations, the party’s membership will elect the leader. They will do so using an online voting system, making Britain the second country in the world to choose its head of state using online voting. But while Estonia has spent 17 years developing a system that allows around 40 per cent of its electorate to vote online, this will be the primary option for Conservative members – and they will have less than a week to access and familiarise themselves with the system. 

Tory party officials have sought to reassure voters that the leadership race will be immune from foreign interference if it goes to an online ballot next week. But “e-voting” and “i-voting” are still relatively immature technologies with significant security challenges. 

These techniques remain controversial even among the cryptographers who have spent decades developing them. “No one to date has come up with an entirely satisfactory solution [for online voting], including myself,” said Peter Ryan, applied security professor at the University of Luxembourg, who worked at GCHQ and the Ministry of Defence before spending almost 20 years studying and developing online voting systems. 

A perfect system would be easy to use, guarantee the voter’s anonymity and demonstrate to them that their ballot had been counted accurately. But these competing demands are extremely difficult to balance theoretically, and even more so in real-world applications. The New Statesman has asked the Conservative Party to guarantee that voters will remain anonymous, and that they will be able to check how their votes have been counted, but has yet to receive a response.

Select and enter your email address Quick and essential guide to domestic and global politics from the New Statesman's politics team. A weekly newsletter helping you fit together the pieces of the global economic slowdown. The New Statesman’s global affairs newsletter, every Monday and Friday. The New Statesman’s weekly environment email on the politics, business and culture of the climate and nature crises - in your inbox every Thursday. Our weekly culture newsletter – from books and art to pop culture and memes – sent every Friday. A weekly round-up of some of the best articles featured in the most recent issue of the New Statesman, sent each Saturday. A newsletter showcasing the finest writing from the ideas section and the NS archive, covering political ideas, philosophy, criticism and intellectual history - sent every Wednesday. Sign up to receive information regarding NS events, subscription offers & product updates.
  • Administration / Office
  • Arts and Culture
  • Board Member
  • Business / Corporate Services
  • Client / Customer Services
  • Communications
  • Construction, Works, Engineering
  • Education, Curriculum and Teaching
  • Environment, Conservation and NRM
  • Facility / Grounds Management and Maintenance
  • Finance Management
  • Health - Medical and Nursing Management
  • HR, Training and Organisational Development
  • Information and Communications Technology
  • Information Services, Statistics, Records, Archives
  • Infrastructure Management - Transport, Utilities
  • Legal Officers and Practitioners
  • Librarians and Library Management
  • Management
  • Marketing
  • OH&S, Risk Management
  • Operations Management
  • Planning, Policy, Strategy
  • Printing, Design, Publishing, Web
  • Projects, Programs and Advisors
  • Property, Assets and Fleet Management
  • Public Relations and Media
  • Purchasing and Procurement
  • Quality Management
  • Science and Technical Research and Development
  • Security and Law Enforcement
  • Service Delivery
  • Sport and Recreation
  • Travel, Accommodation, Tourism
  • Wellbeing, Community / Social Services
Visit our privacy Policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications.
THANK YOU

Ryan said he is concerned at the lack of transparency around a system that is being used to decide who runs the United Kingdom. When the party gave its members the option to vote online in this summer’s leadership election, he approached the Conservative Party and Civica, the software supplier that was managing the ballot, to request details of how it would work: “Civica said something like, ‘we cannot discuss an election of such sensitivity’.” 

Content from our partners
Why public health policy needs to refocus
The five key tech areas for the public sector in 2023
You wouldn’t give your house keys to anyone, so why do that with your computers?

The party chairman, Jake Berry, made similar remarks in a statement on Thursday afternoon (20 October). “Without going into the security measures we will take, for reasons I’m sure you will understand, we are satisfied that the online voting system will be secure,” he said. 

“My response is,” said Ryan, “it’s precisely because it is such a sensitive election that you should be talking to experts and displaying a bit of transparency about the process. We have no grounds really to trust the process apart from blind trust.”

In August, the Conservatives were advised by security experts at the National Cyber Security Centre (NCSC) to drop plans to let members alter their votes after submitting them, due to concerns that it increased the risk that hostile actors would interfere with the process. The party accepted the advice and made no other changes. 

Ryan said the implication was that NCSC was otherwise “moderately happy” with the system. “If you’re prepared to trust that Civica will maintain the security of their servers and so on, the system will probably work OK – but there’s a lot of trust there.” He said he did consider the company trustworthy and competent, but “having to place such trust in a single outfit is profoundly worrying… I really want transparency in the process, so that we can verify that it will be conducted properly.”

The contest’s short time scale means a foreign power, even with advanced cyber capabilities, would find it difficult to compromise a sufficient number of voters’ devices to alter the outcome. It is not yet clear who will run the process, but any credible supplier would also be expected to have established firewalls around their servers, to protect them against external attacks.

The more significant concern among security experts relates to how the party verifies voters. The news organisation Tortoise has taken legal action against the Conservative Party after it refused to reveal details of its membership. Tortoise’s journalists had successfully registered memberships for four fake individuals, including two foreign nationals. “In a way, what worries me more [than the prospect of a breach],” said Ryan, “is that we have this murky electorate we know nothing about, which is not in any way representative of the UK.”

As the country continues to feel the consequences of Liz Truss‘s economic mismanagement, the UK hardly needs more reasons to reject a system in which less than 0.2 per cent of the population appoints the country’s prime minister. If the party cannot guarantee that the votes of even this tiny minority are properly represented, this will only lend further weight to calls for a general election.

[See also: Boris Johnson’s path back to power is a treacherous one]