Fraudulent emails used to cast votes in UCP leadership race, CBC finds
Lists show members had emails attached to their names that were used to intercept PINs needed to vote
Documents obtained by CBC News show email addresses fraudulently attached to Alberta's United Conservative Party (UCP) memberships were used to cast ballots in the party's leadership race, which Jason Kenney won in 2017.
There were virtually no safeguards against the practice.
CBC News surveyed a list of over 100,000 UCP members and their email addresses. From a sample of 49 addresses selected because of their suspicious domains, 31 were used to cast votes in the leadership vote.
Those email addresses were cross-referenced with a list of people registered to vote in the leadership race and a list of those who actually voted.
To choose the leader of their political party in 2017, UCP members submitted their vote online. In order to do so, each member was meant to have a verified email address and a PIN number.
Former UCP MLA Prab Gill has alleged in a letter to the RCMP that the Kenney leadership campaign used fraudulent emails to intercept personal identification numbers needed to cast a ballot in the leadership race. Gill said those PINs, which should have been sent to individual members, were then used by the Kenney campaign to vote for Kenney.
CBC News has not independently verified Gill's claims.
A cease and desist letter sent to Gill from Kenney's lawyer Steven Dollansky calls the allegations "plainly false and defamatory."
- VOTE COMPASS | Find out how your views on campaign issues line up with the platforms of Alberta's major parties
Many of the suspect domains trace back to a hosting service and are linked to a network of ever-changing websites and domains, including Torytracker.com, Bellwebmail.com, Mail.deanfrench.ca and many more.
It is not known who purchased those domains.
As previously reported, the suspect email addresses attached to members were all purchased in the days leading up to the UCP leadership vote on Oct. 28, 2017. None of the emails are currently in service.
Cross-referencing two of the party lists obtained by CBC News shows the vast majority of the fraudulent emails were attached to memberships between Oct. 3 and Oct. 24, 2017.
It is not known how widespread the practice is outside of the selected sample, and there could be more fraudulent emails with valid domains like Gmail or Hotmail.
Calling those on the list
CBC News contacted a dozen people with suspect emails attached to their memberships who confirmed they did not vote in the leadership race, and who said their emails were different from the ones on the list.
Language barriers required bringing on a native Punjabi speaker who works for CBC News in order to clarify details.
One man, whose family was all listed as having voted with emails that were not their own, agreed to speak to CBC News as long as we did not identify him, for fear of repercussions in his tight-knit Indo-Canadian community.
We'll call him Raj.
One family's story
Raj said someone from his community came to the house and asked the family to sign up for the UCP.
"They know that most people in our community, like my parents, who have a language barrier, are not going to log into a computer and vote," he said.
- Listen to The Ledge podcast, as CBC's legislative reporters bring you expert analysis and insiders' insight
Raj said his family is "not big into politics. It's something we kind of stay away from." But they signed up because they were asked in person.
"At that point, when they come to your house, it's just a sign of respect."
Raj said they put down their names, phone numbers and street address. Emails were also put down for some members of his family. CBC News is withholding how many family members there are in order to protect the family's identity.
On the list obtained by CBC News, it shows emails were added for some family members without emails, and the other members had their emails changed.
"Clearly, I can say 100 per cent: We did not vote," Raj said.
RCMP questions
Raj said the RCMP showed up at their house to speak with his father about the allegations of voter fraud.
"They tried to ask my dad some questions, and my dad was sort of scared at that point: 'Hey, what's going on? Did I do something?'" said Raj.
- Sign up to get our election newsletter The Scrutineer delivered directly to your inbox twice weekly
His dad called him and they set up a time to speak with the RCMP, who Raj said was interested in their emails and contact information and read to Raj from a list.
"I was like, is this even a real domain?" said Raj.
It's not known how many others have been contacted by the RCMP in the course of their investigation.
In a written statement, UCP executive director Janice Harrington said the leadership vote "followed the most stringent security protocols of any leadership race conducted in Canada," and strenuously denied allegations of voter fraud.
"The registration process required that every eligible member provide photo identification with a valid address that matched the address on their membership in order to obtain a PIN," she wrote. "A PIN was not issued unless the member provided the required photo identification."
Harrington said the party is confident in the integrity of the results.
Kenney addressed the findings on fraudulent email addresses as laid out in this story at a stop in Fort McMurray on Wednesday and defended the voting process.
"I would be very concerned if that's the case and all I can tell you is that I believe 60,000 people voted in the leadership," he said.
"I was honoured to receive about 61 per cent of that and a 17,000 vote margin. And if there's anybody who didn't vote authentically, then that concerns me, obviously."
Online voting
The online vote was run by a company based in Nova Scotia called Intelivote.
Dean Smith, the president and founder of that company, said the system functioned as it was designed to and there were no issues on their end. However, he conceded there is no way for the system to determine whether the PIN needed to cast a vote was used by the member tied to that PIN.
In other words, if someone created fake email addresses in order to intercept PINs, Intelivote would have no way of monitoring that or preventing it.
- Alberta Votes 2019: CBC News brings you all the news, analyses and columns you need for the election
"If the email address that was supposed to send you the PIN on the file was changed or somehow manipulated by somebody else, if it went to somebody else, that would have been done long before the information came to us, because once it comes to us, that's the address, the address that's used to send a PIN," he said.
"We have no control over the point of where the registration took place, and this is the same in every event we do."
The auditors
UCP Leader Jason Kenney has consistently defended the voting process and fought back against allegations of voter fraud. He points to the auditing of the vote and the work of the leadership election committee as proof that it was clean.
Robyn Henwood, the chair of that committee, spoke to CBC News back in 2017 about allegations of voter fraud.
"The chances of voter fraud are so small, the chances that someone would get somebody else's PIN is nearly impossible," she told CBC News one day before the leadership vote, after the campaigns for UCP leadership rivals Brian Jean and Doug Schweitzer raised concerns over the process.
- Find out how Alberta's political parties are faring in our Poll Tracker
"The only people who could possibly do this would be the campaigns themselves and we know these leadership candidates," Henwood said. "I do not doubt their integrity at all."
The audit of the vote was conducted by Dorward & Co., an accounting firm with offices in Calgary and Edmonton that was founded by David Dorward, a UCP candidate in Edmonton-Gold Bar.
Repeated requests for an interview by phone and by email to Dorward & Co's Stephen Johnson, who proclaimed a clean vote the night of the UCP leadership announcement, were ignored. So was a group email to Johnson and the rest of the Dorward & Co. team listed on the company website.
Multiple votes from one location
The Kenney campaign has faced allegations that it used virtual private networks (VPNs) to mask the addresses of computers in order to cast multiple ballots from one location.
That allegation was connected to the use of PINs acquired through the use of fraudulent emails.
Intelivote's Smith says multiple votes from one location wouldn't necessarily raise a flag, but there is nothing to prevent or screen for the use of VPNs.
Former Wildrose leader and UCP leadership candidate Brian Jean previously told CBC News that no more than six votes were allowed from a single IP address under the leadership rules.
He complained to the UCP leadership election committee when it was revealed Kenney's campaign was using VPNs at voting stations established by the campaign.
Kenney said all leadership campaigns had voting stations, which Jean said was not true.
The rules surrounding the leadership race were clear about the use of voting stations.
"There will be no UCP-organized in-person voting locations," the UCP election rules stated. "Leadership contestants and constituency associations will be encouraged to help all Electors to vote regardless of where Electors live."
Cybersecurity
"Seeing a lot of ballots being cast under a single IP address would be something that, well, if I was running an online voting service, I'd be suspicious about," said Aleksander Essex, an assistant professor of software engineering at Western University in Ontario who specializes in cyber security of elections.
Essex said establishing email accounts and ensuring they are all funnelled to the same place would be easy, but auditing the vote to determine if fraud took place would not.
"We have to be careful to distinguish between auditing a nominal election that's being conducted using online voting versus unraveling the mystery that seems to be before us right now," he said.
"In the former case, there is really no easy way to audit an online election. Certainly not the way that it's been deployed in Canada. In terms of auditing what went on in this particular case, it would be important to have access to the logs of the web server, which means that the vendor would have to provide those logs."
Essex said you would not be able to identify who cast a vote using a particular PIN, only that the PIN was used to cast a vote.
Smith said you can add another layer of security to the Intelivote process by requiring something like a birth date along with the PIN, but that there was no secondary security feature like that in the UCP vote.
He also confirmed that one of the email domains listed in a previous CBC story on the voter fraud allegations was used to cast a vote during the UCP contest.
The kamikaze campaign
Allegations of voter fraud aren't the only questions swirling around the UCP leadership vote. It is also alleged leadership candidate Jeff Callaway ran for the purpose of targeting Kenney's top rival, Brian Jean, with a plan to step down before the vote and throw his support behind Kenney.
Both Callaway and Kenney strenuously deny the allegations, but documents obtained by CBC News show there was deep co-operation between the two campaigns, with high-ranking Kenney officials providing resources, including strategic political direction, media and debate talking points, speeches, videos and attack advertisements.
One email shows a timeline for the Callaway campaign, including a date for when he would drop out of the race.
Callaway's campaign is being investigated by both the RCMP and Alberta's election commissioner for irregular financial donations.
So far, three people have been fined a total of $20,500 for donating money to Callaway's campaign that was not their own.
Two others have received letters of reprimand for the same offence.
Callaway's former communications manager was fined $15,000 for obstruction of an investigation.
Recently, Callaway and five others tried to pause the investigation into his campaign and applied for an injunction. As a result, documents that were previously secret were made public, including a letter from the election commissioner ordering Callaway to repay $26,500 in contributions.
The letter also showed the former leadership hopeful could face two years in prison or a $50,000 fine.
Callaway's former chief financial officer also faces the prospect of two years in prison and the $50,000 fine for "corrupt practices."