When Canada’s Communications Security Establishment announced in mid-2017 that it was expecting the next federal election to be the target of hacks and interference, it identified three main groups that should be on their guard.
The first was Elections Canada itself, which has less to worry about since it still relies on paper ballots and hand-counting.
The second was politicians and their parties, who are vulnerable to blackmail and website hacks. And the third was media outlets, who need to adapt to a new era of so-called “fake news.”
But one group that is intimately involved in election campaigns, and wasn’t flagged by the CSE, is polling firms.
WATCH: A West Block primer on election hacking
As races like the one currently happening in Ontario unfold and leaders press the flesh, pollsters are watching the electorate like hawks. Two points up or down in their surveys — which are commissioned by parties and media outlets and start to roll out as soon as the writ drops — can turn a campaign around in an instant.
Parties constantly adjust strategy as support waxes and wanes, and even voters are not immune to the changing winds. Someone thinking of voting NDP, for example, might see a late surge in Conservative support and, worried about splitting the centre-left vote, bolt to the Liberals.
All of this could, in theory, make polling firms like Ipsos (which conducts regular polling on behalf of Global News), Nanos, Abacus and Forum Research tempting targets for outside actors who want to sway election results. These companies collect, examine and store huge amounts of data, and more and more of it is gathered online.
“The threat is real, and any business that’s operating in Canada that doesn’t think so is looking at things through rose-coloured glasses,” said Sean Simpson, VP of public affairs for Ipsos.
“We’re very confident that we’ve got the processes and systems in place in order to mitigate any risks that we may perceive.”
Building a fortress
Companies usually rely on a pre-recruited, established pool of respondents for their online surveys, Simpson explained. So one of the less onerous ways to affect the results of an online poll would be to infiltrate that pool (by hacking password-protected accounts, for example) and get as many responses as possible to indicate support for, say, the Conservatives.
WATCH: Poll shows majority of Canadians want a new leader as Trudeau approval rating falls to 44%
That is not as easy as it might seem, however. Ipsos deploys a vast array of cybersecurity tools to prevent this type of tampering, Simpson said.
Among other things, the company scans for bot activity, watches for the duplication of email contact information, checks for valid mailing addresses, uses geo-IP address verification to ensure respondents are physically where they say they are, and keeps a running list of “blacklisted” users and IP addresses.
A validation survey must be passed before a respondent can even enter the actual political survey.
“All of these security procedures, as a whole, screen out about half of the applications that we receive to join our panel,” Simpson said.
“None of these are used exclusively or independently of each other. It’s a system.”
A genuine, pre-approved respondent will typically only answer the survey once, isn’t responding to similar surveys in quick succession to try and make a quick buck (as most surveys carry a small financial incentive), and is actually thinking about their answers, he added. A five-minute survey shouldn’t take them one minute to complete.
Once the data is collected, the company uses the typical array of firewalls, anti-malware and physical security around its servers to make sure that it can’t be altered, or stolen.
Over at Nanos, things are done a bit differently. Respondents to online surveys are first randomly recruited by phone using a pool of landline and cell-phone numbers.
“A unique one-time link is sent to the people we talk to — which can be used only once and then it closes down (and) locks so there is only one survey allowed for each unique link,” explained Nik Nanos, chairman of Nanos Research, in an email.
“Our security is pretty tight since there are no open links, or ads or people who volunteer for multiple surveys from a link. It is the most expensive way to do online research but yields a probability sample and can’t be spammed.”
Nanos relies exclusively on telephone responses for vote-intention estimations, he added, while using online surveys for questions about policy.
“I would assume that most of (the polling firms) would be tracking IP addresses, but IP addresses can be spoofed,” she noted. “So it’s possible to mask that, and that could change the outcome of a particular poll. Otherwise, actually hacking into companies … takes a big effort and a lot of resources.”
WATCH: Is Canada vulnerable to major election hacking?
Poll-meddling at any level would not be the easiest way to interfere in a country’s democratic process, Wanless added. Typically, most of the interference (in the recent Brexit campaign and during the American presidential election, for example) has been happening via social media, using existing online resources.
“You want to be trying to get as much content onto a bunch of different websites, and get trending on Twitter so that you can alter news feeds and search feeds, and get that content into echo chambers where people are really going to spread it,” she said.
Another consideration, Wanless pointed out, is that researchers have long struggled to identify exactly how poll numbers affect voter behaviour, so a hack might not have the desired effect. And overall public trust in traditional “horse race” polls has taken a beating in recent years.
“They wildly got things like Brexit wrong, and Trump. There was next to no one predicting that he was going to win,” Wanless said.
“Which tells me that maybe (polls) wouldn’t be the best place to put an effort in if you wanted to sway the masses.”
Back at Ipsos, Simpson maintains his firm has never been compromised before, and is ready for whatever might be coming.
“Of course, nobody can be complacent. There are always new techniques … so we’re constantly updating what we’re doing,” he said. “This has been on our radar for quite some time.”