Canadian pollsters build fortresses around their data to protect from hacks

People cast their ballots during the 2016 presidential election in Nevada. Evidence of Russian influence during the election has been mounting, and experts warn Canada could face similar interference. Reuters/David Becker

When Canada’s Communications Security Establishment announced in mid-2017 that it was expecting the next federal election to be the target of hacks and interference, it identified three main groups that should be on their guard.

The first was Elections Canada itself, which has less to worry about since it still relies on paper ballots and hand-counting.

The second was politicians and their parties, who are vulnerable to blackmail and website hacks. And the third was media outlets, who need to adapt to a new era of so-called “fake news.”

But one group that is intimately involved in election campaigns, and wasn’t flagged by the CSE, is polling firms.

WATCH:  A West Block primer on election hacking

Click to play video: 'The West Block Primer: Election Hacking'
The West Block Primer: Election Hacking

As races like the one currently happening in Ontario unfold and leaders press the flesh, pollsters are watching the electorate like hawks. Two points up or down in their surveys — which are commissioned by parties and media outlets and start to roll out as soon as the writ drops — can turn a campaign around in an instant.

Story continues below advertisement

READ MORE: NATO expert warns of Russian meddling in Canada’s 2019 election

Parties constantly adjust strategy as support waxes and wanes, and even voters are not immune to the changing winds. Someone thinking of voting NDP, for example, might see a late surge in Conservative support and, worried about splitting the centre-left vote, bolt to the Liberals.

All of this could, in theory, make polling firms like Ipsos (which conducts regular polling on behalf of Global News), Nanos, Abacus and Forum Research tempting targets for outside actors who want to sway election results. These companies collect, examine and store huge amounts of data, and more and more of it is gathered online.

“The threat is real, and any business that’s operating in Canada that doesn’t think so is looking at things through rose-coloured glasses,” said Sean Simpson, VP of public affairs for Ipsos.

“We’re very confident that we’ve got the processes and systems in place in order to mitigate any risks that we may perceive.”

Get the latest National news. Sent to your email, every day.

Building a fortress

Companies usually rely on a pre-recruited, established pool of respondents for their online surveys, Simpson explained. So one of the less onerous ways to affect the results of an online poll would be to infiltrate that pool (by hacking password-protected accounts, for example) and get as many responses as possible to indicate support for, say, the Conservatives.

Story continues below advertisement

WATCH: Poll shows majority of Canadians want a new leader as Trudeau approval rating falls to 44%

Click to play video: 'Poll shows majority of Canadians want a new leader as Trudeau approval rating falls to 44%'
Poll shows majority of Canadians want a new leader as Trudeau approval rating falls to 44%

That is not as easy as it might seem, however. Ipsos deploys a vast array of cybersecurity tools to prevent this type of tampering, Simpson said.

Among other things, the company scans for bot activity, watches for the duplication of email contact information, checks for valid mailing addresses, uses geo-IP address verification to ensure respondents are physically where they say they are, and keeps a running list of “blacklisted” users and IP addresses.

A validation survey must be passed before a respondent can even enter the actual political survey.

“All of these security procedures, as a whole, screen out about half of the applications that we receive to join our panel,” Simpson said.

Story continues below advertisement

“None of these are used exclusively or independently of each other. It’s a system.”

A genuine, pre-approved respondent will typically only answer the survey once, isn’t responding to similar surveys in quick succession to try and make a quick buck (as most surveys carry a small financial incentive), and is actually thinking about their answers, he added. A five-minute survey shouldn’t take them one minute to complete.

READ MORE: Russian cyberattacks targeted 39 countries and combined hacking, forgery, disinformation

Once the data is collected, the company uses the typical array of firewalls, anti-malware and physical security around its servers to make sure that it can’t be altered, or stolen.

Over at Nanos, things are done a bit differently. Respondents to online surveys are first randomly recruited by phone using a pool of landline and cell-phone numbers.

“A unique one-time link is sent to the people we talk to — which can be used only once and then it closes down (and) locks so there is only one survey allowed for each unique link,” explained Nik Nanos, chairman of Nanos Research, in an email.

“Our security is pretty tight since there are no open links, or ads or people who volunteer for multiple surveys from a link. It is the most expensive way to do online research but yields a probability sample and can’t be spammed.”

Story continues below advertisement

Nanos relies exclusively on telephone responses for vote-intention estimations, he added, while using online surveys for questions about policy.

Lower-hanging fruit

According to Alicia Wanless, director of strategic communications at the SecDev Foundation, influencing an online political poll is indeed possible.

“I would assume that most of (the polling firms) would be tracking IP addresses, but IP addresses can be spoofed,” she noted. “So it’s possible to mask that, and that could change the outcome of a particular poll. Otherwise, actually hacking into companies … takes a big effort and a lot of resources.”

WATCH: Is Canada vulnerable to major election hacking?

Click to play video: 'Is Canada vulnerable to major election hacking?'
Is Canada vulnerable to major election hacking?

Poll-meddling at any level would not be the easiest way to interfere in a country’s democratic process, Wanless added. Typically, most of the interference (in the recent Brexit campaign and during the American presidential election, for example) has been happening via social media, using existing online resources.

Story continues below advertisement

“You want to be trying to get as much content onto a bunch of different websites, and get trending on Twitter so that you can alter news feeds and search feeds, and get that content into echo chambers where people are really going to spread it,” she said.

READ MORE: Russian hackers targeted more than 200 journalists, bloggers around the world

Another consideration, Wanless pointed out, is that researchers have long struggled to identify exactly how poll numbers affect voter behaviour, so a hack might not have the desired effect. And overall public trust in traditional “horse race” polls has taken a beating in recent years.

“They wildly got things like Brexit wrong, and Trump. There was next to no one predicting that he was going to win,” Wanless said.

“Which tells me that maybe (polls) wouldn’t be the best place to put an effort in if you wanted to sway the masses.”

Back at Ipsos, Simpson maintains his firm has never been compromised before, and is ready for whatever might be coming.

“Of course, nobody can be complacent. There are always new techniques … so we’re constantly updating what we’re doing,” he said. “This has been on our radar for quite some time.”

Sponsored content