NDP site the weak link in online attack during 2012 leadership vote

An online attack that delayed the results of the NDP's 2012 leadership vote hit the party's website, not the site of the company running the online vote.

Tom Mulcair was selected as leader after voting results were delayed by hours

An online attack that delayed the results of the NDP's 2012 leadership vote hit the party's website, not the site of the company running the online vote. (Evan Mitsui/CBC)

An online attack that delayed the results of the NDP's 2012 leadership vote succeeded because it hit the party's website, not the site of the company running the online vote, a company representative says.

The voting that chose Tom Mulcair as the New Democratic Party's leader was besieged by a "distributed denial of service" attack, which bombards a server with repeated attempts at communication to try to slow it down or crash it altogether.

The process was delayed by several hours and left many delegates complaining they couldn't access the site to cast their ballots.

At the time, neither the NDP, nor Scytl, the company that provided the online voting service, would explain beyond saying it was a denial of service attack.

But Scytl representatives now say the attack hit the NDP's website and that its own technology was never compromised.

'Only as strong as your weakest link'

The problem stemmed from a link on the New Democrats' website that directed members to Scytl's secure website, allowing the denial of service attack to hit a public page.

"The attack was focused on the NDP website," said Mark Pivon, a sales director for Scytl. "It was not a reflection of us. The attack was focused on their website and so ... people couldn't access the link to get to the vote."

The company's director of operations for Canada said it's impossible to guarantee nobody will try to attack or hack a vote and emphasized that the voting data was never compromised.

"We cannot guarantee, just like we cannot guarantee that nobody will ever try to open the door in your house [to break in]," Richard Catahan said.

"You're only as strong as your weakest link."

Scytl says data are encrypted from start to finish in the process and held in an isolated server.

The NDP refused to answer questions, saying it had nothing more to add now than at the time of the attack.

Limit access to voting page

Dean Smith, whose electronic voting company Intelivote was being considered by the NDP for its leadership vote, says he recommends clients protect the URL of the page from which ballots are cast.

Tom Mulcair became the federal NDP leader after long delays in voting in 2012. (Evan Mitsui/CBC News)
​"The only people that should know the URL of the website that they go to vote at are the people that have been sent voter credentials," Smith said.

"And in the case of the NDP, what they did is they actually put a great big red button on the same website that everybody was watching the streaming video [on] … and it took them right into the voting system."

Smith said he had talked to NDP officials about the possibility of working for them on the leadership vote and had advised them not to do that.

"I'm not going to say it's a rookie mistake, but it's something that if you're expecting a lot of people to watch an event or be involved in an event, it's only those people that are involved in it that you want to actually participate ... And it's always been a rule that we have that we don't allow the client to put a link on their website to the voting system because anyone who knows they're having an election would simply visit their site and then pick up that information from there."

Broader implications

The party initially seemed to want to find the perpetrator, but eventually gave up.

Representatives from Scytl were in Ottawa last Friday for the Manning Centre's annual networking conference. They said the company is in discussions with the Conservative Party to provide services to them.

The problem at the NDP leadership convention could have broader implications, with Elections Canada long considering an online voting trial run for federal elections. The government's proposed election law reforms would make it harder for the agency to test out such a process, requiring the consent of the House and the Senate before allowing it.

Minister of State for Democratic Reform Pierre Poilievre has called online voting "risky" and "unproven."

"I believe Elections Canada has a lot of work to do to convince Canadians that it is capable of running a traditional paper ballot system — and it needs to do this before experimenting with risky, unproven voting schemes. The change in the Fair Elections Act requires the CEO [chief electoral officer] of Elections Canada to first consult with parliamentarians on how to improve the voting system. Given the findings of the Neufeld Compliance Review about Elections Canada, this is the safest way to protect the integrity of our elections," Poilievre told to CBC News last month through a spokeswoman.

Scytl said Friday that it has never been hacked over the course of 100,000 votes in about 10 years.

10,000 IP addresses

A denial of service attack can be co-ordinated by one person using a number of IP addresses with computers that don't belong to the attacker.

About 11,000 NDP members were voting live, as opposed to advance voting. About 131,000 members were eligible to vote. 

Scytl was able to determine that approximately 10,000 IP addresses were used in the attack and that each computer launched up to 1,000 requests per minute to the voting server. An IP address is a number assigned to an internet connection.

An estimated 10 million bogus requests hit the server in addition to the legitimate requests from people trying to vote and jammed the system.

The attacks came from computers mostly across Canada, but some were from outside the country. The ones from outside Canada were literally spread around globe: China, New Zealand, Australia, United States, the Caribbean, India, and parts of Africa and Europe.


To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.

By submitting a comment, you accept that CBC has the right to reproduce and publish that comment in whole or in part, in any manner CBC chooses. Please note that CBC does not endorse the opinions expressed in comments. Comments on this story are moderated according to our Submission Guidelines. Comments are welcome while open. We reserve the right to close comments at any time.