Category Archives: voting

Answering eDemocracyBlog’s case in favour of e-voting

eDemocracyBlog has recently put forward some arguments in favour of e-voting in response to the Hansard Society’s debate on the subject.

The blog’s author (whom I can’t identify) takes issue with a number of my views which I aim to defend here.

I tend to argue from first principles which requirements any electoral system should meet. These are that elections should be secure, verifiable and anonymous. eDemocracyBlog argues that because not all existing electoral systems, such as postal voting, meets these then my views on e-voting are flawed. I don’t agree at all.

I did actually mention at the Hansard event my concerns about postal voting. But when asked to debate e-voting I focussed on the challenges there, that isn’t to say that existing electoral arrangements are perfect — they aren’t. But just because that is the case in no way makes the case for e-voting. It just further re-inforces our need to focus on fixing the current setup.

The eDemocracyBlog writes:


Related to the security point was Kitcat’s comment that delivering PINs to anyone wanting to vote electronically would create a further threat to security. Yet banks generally seem able to handle the process.

Kitcat also said eVoting could enable “ballot stuffing on a massive scale” which the need to photocopy and complete postal ballots makes more difficult. But for a would-be fraudster it should be far harder to get hold of a large number of PINs than it is to get hold of a blank ballot paper and photocopy it.

Banking is a completely different process to voting: It isn’t anonymous, it’s easy to verify because you receive monthly statements and losses are just a cost of doing business – not the outcome of a binding political election where the stakes are much higher.

eDemocracyBlog is apparently unaware that paper ballots have security marks such as stamps, or watermarks which means you cannot photocopy them. This is why fraudsters try to collect postal ballots, because they can’t produce fresh ballots themselves.

Any smart hacker isn’t going to try to break the system by intercepting PINs (for example) in the postal system. They will crack the computer systems centrally and manipulate the authorisation credentials there or just directly manipulate the results. It’s much easier to change the result on one central computer then thousands of postal ballots, for example. We’ve seen electronic voting results cast in serious doubt in the US, Canada, Japan and many more countries.

eDemocracyBlog continues:

As for the possibility of somehow hacking into the system and creating false voting records, it may be possible that details of voters can be held separately from the details of votes, and then matched again during the counting process with each voter told how their vote was registered so that they can report if it was changed without their permission.

If such a process was enabled the vote would no longer be secret, breaching the Human Rights Act (plus our European and UN human rights committments). This would leave people open to abuse, intimidation and family voting. This is not theoretical – it happens with postal voting.

I think Andy Williamson made a telling point that wasn’t rebutted when he noted that banks manage to verify cash machine transactions without ever knowing the cardholder’s PIN.

As I understand it they don’t verify the transactions. They just verify the cardholder details via the PIN. So it’s not the same and it’s very much not anonymous (wave to the camera in the ATM!)

It is also worth pointing out that the current paper-based balloting system is not anonymous either, so again this would seem to be a case of making demands of eVoting which are not equally applied to the existing system.

Only in the UK is our paper voting system not anonymous. In all other modern democracies it is. And citizens of those countries are appalled when they hear of our antiquated system which is a holdover of the Australian system from the 1860s. The Australians switched to anonymous votes before we even adopted the secret (but numbered) paper ballot here in the UK.

Another question is whether any system can be both anonymous and verifiable anyway? If it is genuinely anonymous then who is to tell whether any ballot was cast by a legitimate voter rather than, say, dumped into the ballot box by a corrupt council employee before it is sealed?

Ah, it seems eDemocracyBlog is beginning to come to terms with the difficulty of the problem. It is very difficult to build a digital system which is anonymous and verifiable – in fact I believe it’s not possible with current technology. With paper it is possible, if the paper has security marks so you can trust its source and prevent ballot stuffing.

eDemocracyBlog then goes on to attack the Electoral Commission for failing to set up a certification process for e-voting systems. But it would be up to the Government to empower the Commission to do such a thing, and to provide funds for it to be conducted. It’s my view that certification, while necessary if technology is to be used, doesn’t resolve many of the serious problems with e-voting.

Later on the Commission are again criticised by eDemocracyBlog for failing to develop a strategy for voting modernisation. But this is not a task for the Commission – it is for government to set out their view, try to pass legislation and consult the Commission on the approach.

People do not need to know how something works, or even be entirely confident in its security and privacy policies, in order to use it in their millions. I could perhaps mention Facebook at this point.

This was the same argument made by VoteHere’s Jim Adler against me in the Oxford Union debate on e-voting. Jim argued that people don’t need to understand how a plane works to fly in it. But this misses the fundamental point. With a plane, or Facebook, the results are self-evident. You fly to your destination or your post on someone’s profile appears. With a vote, because it is secret, how do you know it was accurately counted as you intended?

With paper and a public count you are fairly certain, thanks to the known properties of pen and paper, that the outcome will be valid. With an e-vote you can’t have the same confidence.

eDemocracyBlog continues defending e-voting by suggesting the costs will be lower when used on a greater scale than for just the pilots. No doubt, there were one-off costs for the pilots. However I know that several of the providers swallowed significant losses for the pilots just so that they could stay in the market, hoping to win a juicy national contract.

Furthermore the contracts were agreed centrally by the government, not by councils as eDemocracyBlog suggests. So, especially when suppliers provided for several areas, there could have been economies. £58m for weekend voting across our country would be a fraction of the costs e-voting would involve.

There is no need for e-voting to happen. Certainly in the current times of tight budgets, e-voting is extremely unlikely to happen. However I’m sure that it won’t be too long before the spectre arises once more, just because people seem to like the idea of applying technology to everything they can. Thankfully more and more people are becoming aware of the great risks e-voting presents for very limited benefits.

Why can’t I vote at my ATM? Hansard Society Debate

This evening the Hansard Society hosted a panel debate in Portcullis House, Westminster with the title “Why can’t I vote at my ATM? – the practicalities of the ballot box.

I along with Electoral Commission Chair, Jenny Watson and Tom Watson Harris MP made up the panel. The audience was filled with a wide variety of interesting people including current and former Electoral Commission staff, civil servants, Lords and activists.

While we didn’t all agree on the reasoning, there was a fairly general consensus that electronic voting shouldn’t be pursued at the moment. There was lots of interesting debate on issues of access and turnout. I hope the society will put online a podcast or summary of the event in some form. I post below my opening speech for the event.

——–

Thank you for inviting me here to participate this evening.

I come to this issue as a programmer, as someone who has observed elections for the Open Rights Group and who, as a local councillor, has had a very personal interest in elections.

As an observer the ultimate compliment one can pay an election is to say that it was ‘free and fair’.

What does an election process need to do to be considered free and fair?

There are three key properties that ALL must be met. An election must be:

  • Secure
  • Verifiable
  • Anonymous

By secure we mean that the results cannot be changed, that only those entitled to vote actually do so and people can only vote one time.

Verifiable means that candidates, agents, observers and voters can check the result and have confidence that the result reflects the will of the people. Voters need to be sure that their intention was accurately recorded and counted.

Finally to prevent coercion, vote selling and bribery voters absolutely need to be secure in the knowledge that their vote is secret and that people cannot know how they voted. I am aware that the UK currently doesn’t have a completely secret ballot, we should, but that’s a debate for another day.

  • Secure
  • Verifiable
  • Anonymous

A properly run paper-based election can meet those three requirements.

However with current technology electronic voting cannot meet those three principles. It just isn’t technically possible to have an electronic system which is secure and anonymous whilst also being verifiable.

When the Open Rights Group observed electronic elections in the UK we were unable to declare confidence in the results, because we just couldn’t properly verify the counts at all, it was hidden behind the technology.

Online banking is a completely different problem, the transactions are not secret, we can see them in our statements and merchants collect lots of personal information about us to push through their anti-fraud systems. Technology is great for so many things, but not voting.

If you’ve heard the complaints from the music and movie industries over recent years, then you’ll know that computers are good at copying. With electronic voting we risk undetectable ballot stuffing on a massive scale.

Currently the very nature of paper – that you need a vehicle to move around lots of it, that it’s logistically challenging to deal with thousands of ballots – limits fraud and increases the chance of fraudsters being caught. With electronic votes the fraud can happen in a computer, where none of us can see inside, with millions of votes changed or copied whilst controlled by someone on the other side of the world.

I’ll save more details of the technical problems with electronic voting and counting for the questions, if people are interested. But there is a broad consensus in the computing world that these technologies should not be used. The Association for Computing Machinery and the British Computer Society as well as scores of academics have voiced their opposition. So far e-voting has been cancelled in Ireland, Netherlands, Germany, Italy and the province of Quebec. There have been serious problems found with e-voting systems in India, Japan, France, Belgium and of course the United States.

I might add that these systems are hugely expensive, costing many times more than traditional paper-based elections. In a 2003 e-voting trial in Sheffield, for example, the cost was £70 per e-vote cast versus £1 per paper vote. And on average turnout still declined during the UK’s electronic voting pilots between 2000 and 2007.

On turnout, we need to be very careful. Much of the over £50 million spent on UK pilots in the last 10 years was based on blind faith that online voting would boost turnout. It didn’t, simply because ease of voting is not the main factor for why people don’t vote. Indeed there are studies showing that people who live furthest from their polling station are most likely to vote!

People choose not to vote because they feel all politicians are the same, that their vote doesn’t count or they don’t know enough about the issues to vote. That’s a challenge for the political system to address, one which electoral reform could help with as there’s data clearly showing higher turnouts in countries with fairer electoral systems.

That being said, politics aside, what should we do about our electoral processes? We absolutely and urgently need individual voter registration and that could be tied in with an online electoral roll. That’s a place where technology could help voters, election administrators and party activists.

We need to clamp down on postal voting, it’s the source of most allegations of fraud. It will need to still be available, but in a much more controlled and secure manner.

We need to review polling day. I know the Electoral Commission have done quite a bit of interesting work on this. Moving elections to the weekends, perhaps all weekend, is one option but the consultation responses to this were, I understand, rather mixed. What we could do is declare a public holiday on election day, we could also consider offering, before polling day, early voting in town halls.

Finally, I think counts need to stay open, be manual, paper based and easily scrutinised. It’s only by watching piles of ballots add up, by observing them being sorted and checked, that we can have confidence in the result. What could help would be more standardised procedures for the counts. This would assist with training of all involved – at the moment every count across the country can be done in a different way. Let’s not stamp out local innovation, but let’s make sure there are minimum standards so we can have confidence in a modern, paper-based electoral system.

In closing, I believe electronic voting & counting are not the way forward, let’s update our existing electoral system whilst keeping it secure, verifiable and anonymous. The real challenge for engagement and turnout lies with our political culture and the fairness of our voting systems, not election administration.

India’s e-voting machines cracked

Rop Gonggrijp is someone always worth keeping an eye on. He was instrumental in revealing the problems with the Nedap voting machines used in Ireland and the Netherlands.

How he’s part of a team who have publicly demonstrated serious security flaws with India’s electronic voting machines. Time and time again India has been cited as a good example – but the reality was their systems lacked independent scrutiny. Now that expert scrutiny has been brought to bear, problems have been found.

How many more countries have to make the expensive mistake of rolling out e-voting before we all learn that computers and voting are just not well suited for each other.

Read more, and watch the great video at http://www.indiaevm.org

Rop’s post explaining some of the back story

VeTA – a new group campaigning against India’s e-voting, welcome!

(via Ed Felten’s Freedom to Tinker)

Upcoming events in Brighton & Cambridge

Two events coming up soon which will be of interest to digital rights type people:

  • Debating the Digital Economy Act Thur 29th April
    I’ll be one of the contributors at this debate, organised by Wired Sussex here in Brighton.
  • Internet Voting: Threat or Menace Tue 27th April
    Jeremy Epstein from SRI International is over in the UK and will be giving a talk at Cambridge Uni’s Computer Lab Security Seminar series. I did one of these a few years ago and it was highly enjoyable – the audience were engaged and very generous with their interest.

Links 15-04-2010

  • Israeli e-voting system shown to be insecure
    Israeli ministers are ignoring the global trend against e-voting. Not only that but they want to implement a radio-based (RFID) system which researchers at Tel Aviv University have already broken. Just crazy. Avi Rubin picks up the story on his blog.
  • The single mother’s manifesto
    A powerful essay against the Tories by Harry Potter creator J.K Rowling. Of course once Murdoch’s pay wall comes down I won’t be able to link to such things.
  • Twitter grows up
    At their first corporate conference, a raft of announcements including ways to make money. I don’t envy their trying to shift people from the free lunch they’ve had this far.
  • Stephen Fry – The Intelligence Debate
    What a marvellous presentation, absolutely comprehensive demolition of the problems with organised church hierarchy. I would never want be up against someone so smart and so witty! He nails it, let’s not lose the lessons of “the Galilean carpenter” but rid ourselves of  the organised hierarchy.

Electoral Commission Chair re-opens the e-voting question

I’ve just come across a Guardian interview of Jenny Watson, chair of the Electoral Commission, which includes this:

People, she said, should also be allowed to vote online. “There will always be people who will want to vote in person, just as there are people who want postal votes. But you could allow more choice in the system,” she said.

It’s extremely disappointing to hear the Chair of the Electoral Commission, of all people, promoting this kind of view. These kind of facile arguments were being made by Labour ministers 3-4 years ago.

Since then we’ve been on a journey with many MPs, publicly at least, agreeing e-voting is a long way from being ready for consideration, if ever. Most Electoral Commission officers I’ve met have also been taking ever stronger lines against e-voting and e-counting.

I absolutely support the Electoral Commission being more outspoken and pushing more forcefully for reforms that improve the security, accuracy and accessibility of our elections. However I believe, I hope anyway, that Jenny Watson’s comments do not reflect the views of her staff who thus far have been very conscientious (but perhaps too soft-touch) in highlighting the serious risks associated with postal votes, e-counting and e-voting. Online voting being the most risky of all of them!

The risks & challenges of e-voting are laid out in detail in the writings section of this site.

London: We have a non-answer on e-counting

So London Mayor Boris Johnson did answer Andrew Boff’s question on e-counting, or did he? Here’s the background on the question, and the section of Mayor’s question time copied in below (source [PDF]):

Elections
Question No: 3574 / 2009
Andrew Boff

For the 2012 elections would the Mayor prefer a £5million+ electronic count where the bulk of the costs would go to a foreign computer company or a £3.5million manual count where the bulk of the costs would go into Londoner’s pockets?

Answer from the Mayor:

The Authority’s Scheme of Delegation quite properly gives the Chief Executive, in his role as the Greater London Returning Officer, the right to take all the decisions about how GLA elections are delivered. That accords entirely with the practice across the country that politicians contest elections, and do not decide how they should be run.

The answer completely dodges the nub of the question as well as the budget setting powers of the Mayoralty along with the London Assembly. Of course politicians in power get a say in how elections are delivered, why else would a race for e-voting have been begun when Robin Cook had suggested an electronic general election after 2005 was a target?

Boris either doesn’t care, doesn’t understand or doesn’t want to take on his Chief Executive.

The question now becomes, how do we hold the Greater London Authority’s Chief Executive to account about election arrangements if the directly elected Mayor won’t?

Where next for e-counting in London?

On 18th November I hope to find out the future of e-counting in London. Conservative London Assembly Member, Andrew Boff, will be asking London’s Mayor, Boris Johnson the following question:

Elections
Question No: 3574 / 2009
Andrew Boff

For the 2012 elections would the Mayor prefer a £5million+ electronic count where the bulk of the costs would go to a foreign computer company or a £3.5million manual count where the bulk of the costs would go into Londoner’s pockets? (Source [PDF])

This question sums up the view the Open Rights Group and I have been advocating. Does it really make sense to splurge a huge sum of money on e-counting when we know a manual count would be cheaper, let alone easier to verify and more trusted by voters and politicians alike? In these times of restricted public funds wouldn’t the millions for e-counting be better spent on other priorities – I certainly think so.

The back story is that after strong urging from the Electoral Commission and the Open Rights Group, London agreed to conduct a cost-benefit analysis of continuing with e-counting versus using manual counting. When it finally emerged the analysis was obviously biased towards e-counting, trying to minimise the greater cost of e-counting as much as possible.

When a round table was organised to discuss stakeholder views of the analysis, attendees were told that London would proceed with e-counting regardless, rather making the process and that meeting pointless. The Guardian picked up the story. At this point ORG released its own comments on London’s analysis (which I led on drafting) but the Electoral Commission had yet to release theirs.

When the Commission did release their views (something which I was very remiss not to blog on then, sorry loyal readers) we were in for a pleasant surprise. The response was very direct in criticising the weakness of London’s analysis and failings in the UK Government in providing a clearer framework for the use (or not) of such voting technologies. The killer quote:

“However, having studied the cost-benefit assessment, we are concerned that there are potentially a number of gaps that suggest the advantages of e- counting may have been overstated. For example, it was assumed that e- counting was free from human error. Conversely, the assumptions made about the speed and accuracy of manual counting seem overly negative. Also, important safe-guards, such as preparing a manual count as a back-up and the manual checking of a random sample of ballot papers do not appear to have been considered when costing e-counting.

“Therefore, we would suggest that a determination that e-counting is affordable and that the cost is not significantly or disproportionately more than that of manual counting cannot be made without undertaking further analysis of the costs and benefits which takes into account these and other points…”

The Commission also notes the moral hazard in there being only 2 likely suppliers for running an e-counted London election. It also adds a final significant warning:

“We believe that there are considerable risks in undertaking a large scale e-counting exercise in the absence of such a national framework and that the current cost-benefit analysis by GLRO does not sufficiently fill the gap created by this absence.”

It was the strongest public statement I have ever seen from the Commission, and I couldn’t have been more delighted by the firm approach they took. GLA officers are understood to be re-doing some form of analysis following the Commission’s request for more work, meanwhile however procurement also seems to be going ahead. More coverage by Mark Park.

The hope is that Andrew Boff’s question will reveal the current direction and show how committed Boris Johnson is to spending taxpayer funds on election technology.

A bad day for the public interest

What a strange day it has been. I’ve had a very productive time at work whilst lots of other things have been bubbling over:

  • London Elects and the Greater London Returning Officer (the people responsible for the London Mayoral and Assembly elections) had asked for responses to their cost-benefit analysis of manual vs e-counting in 2012. I had just completed ORG’s response earlier this week, which argued that given the £1.5m saving from going manual, there seemed to be no good reason for e-counting. Today was a ’round table’ to also explore issues covered in the analysis. However rather than being the consultation event we expected, ORG’s Executive Director was told that the decision to e-count the 2012 London election had already been taken. Not even a pretence of keeping an open mind! No proper debate or consideration has taken place, just a firm commitment to press ahead with e-counting regardless of costs or consequences.
  • Meanwhile in Brighton & Hove I submitted a formal request to Brighton & Hove City Council’s acting Chief Executive that he ‘call-in’ a decision made by the Tory Cabinet earlier this month. This means the decision is suspended and hopefully will be examined by a scrutiny committee. Why? Because the reports for the decision, over pedestrianising parts of East Street,  failed to include comments from any residents in spite of several having provided detailed objections. Council decisions cannot be based on consultations which have failed to include residents views. This just makes people (more) cynical about consultations and prevents decisions being taken on the balanced information.
  • Finally some Freedom of Information requests I put in some time ago have come to fruition, somewhat explaining why such huge rent rises are being demanded from seafront businesses. The reason? A big fat commission-based fee for the consultant leading the rent reviews for the Council. More details in “Huge consultant fees encourage seafront rent hikes“.

Diebold sell their voting unit to ES&S

This morning we learn that Diebold have sold off their voting-machine business to ES&S, their main competitor. Between them Diebold and ES&S control around two-thirds of the US voting market.

Ever since the bad news about Diebold started rolling in a few years ago, they’ve been trying to ditch their voting unit. Security scares aren’t good for business when your main product is ‘secure’ cash machines and such like.

Having failed to find a seller they renamed their voting unit to ‘Premier Election Solutions’ in the hope that would at least protect them from some of the, ahem, reputational issues. How or why they now managed to get ES&S to purchase the unit know is not clear, but the tiny $5 million price tag must have been attractive.

Diebold expect to book a loss of $45 to 55 million on the deal, not exactly a marvellous return. Both Diebold’s and ES&S’ voting systems units were created by the Urosevich brothers so there’s some kind of closure in this transaction bringing the units together.

ES&S were one of the suppliers in the 2007 UK pilots including South Bucks which had significant problems and delays with their count.

In papers on the 2007 pilots released under the Freedom of Information act to the Open Rights Group, it was clear that the government wanted to avoid using Diebold at all costs because of the negative PR associated with them. If pilots are to happen again (which thankfully I think is unlikely) will ES&S be avoided too thanks to this acquisition?

This deal will represent significant consolidation in the voting market and unhealthy control in one company. I hope the US authorities carefully examine this deal, but if not it will be another signal to the rest of the world not to follow in their foot-steps when it comes to voting.

NY Times Report: “Diebold sells its voting machine unit to competitor”