Categories
voting

Problems with the 2009 European Election Count

Errors displayed at the Southampton 2009 Euro count

This post is long overdue, I apologise, by-election campaigns and such like got in the way.

On Sunday June 7th the count for the South East region of the European Parliamentary elections was conducted at St Mary’s stadium, Southampton. In attendance were lots of media as well as candidates, agents and activists along with significant others.

I went along with my wife as one of the Green Party’s candidates and proceeded to experience a very long night with very little information and lots of frustration. What had to happen was for each local authority in the region to count its ballots and submit the results to the Southampton HQ. A few areas were delayed by recounts, mismatched ballot accounts (i.e. ballots lost or in the wrong pile) but there were clearly technical issues in Southampton also delaying matters.

I had learnt a few weeks earlier that the results from local authorities were to be transmitted to Southampton via a ‘secure website’. In essence, as I understand it because I never saw the system or any detailed specifications, returning officers would type the results (twice to verify) into an SSL form which was then emailed to Southampton and also stored in a database. I copy below the full response I received about my enquiries from the Regional Returning Officer Mark Heath.

I had concerns about this setup, what checks were being done and so on. So I ensured local Green agents texted us their results so we could check them against what the system claimed. I felt the returning officers should be collecting out-of-channel verification too via fax or telephone, but they weren’t interested in that idea — too quick and happy to trust the technology sadly.

On the night I saw the technology staffers and returning officer team looking tensely at a couple of computers. No surprise when all the informational displays were showing server errors, exceptions and so on. This left many unhappy candidates and agents who were quick to query the sense of these systems with the returning officer. How I wish they would remember these feelings in the weeks after… every election I observe with technology their are howlings about the problems on the night but a week later most are too busy celebrating their wins or analysising their losses to make the case about how the election was run.

Let’s run through the problems we had with the informational screens:

  • They crashed regularly, especially earlier in the night;
  • The colour coding was confusing as reds, greens, yellows were used in a non-political sense to inform what status various local counts had;
  • They were often difficult to read with too small text or windows not at full size;
  • The updates scrolled by so fast it was impossible to do much than see the top party on the first pass.

You can see the full range of problems screens on Flickr.

It’s worth noting that while they would have been detected in the end, someone could have caused chaos and mayhem by manipulating this results system either just the display (which was basically a webpage on a projector) or the tabulation/counting of results themselves. Given those possibilities I was concerned that the Electoral Commission had not had a role checking this software and that fairly serious failures were happening on the night.

I’m a technologist. I spend all day with computers, programming them, using them, talking about them. I remain deeply concerned by the use of technology in elections especially when it is done without the proper rigour of testing and certification. Things can and do go wrong, especially for high pressure events like elections.

I don’t think we would have been any worse off if in Southampton a fax had been received from every count with the results which was manually checked against the online results. These could have been tabulated in a public way the way ballots are checked. We have to be more cautious before jumping both feet first into a computer-only solution.

Responses from Regional Returning Officer to my queries prior to election day:

The system is secure, and has been fully tested already which has shown it to work fully  -and indeed without the potential errors that a system that requires data to be managed via Phone / FAX & re-inputted on several occasions – but I will let you know chapter & verse shortly. Thanks.

UPDATE: Adrian Windisch, Chair of Reading Green Party, writes to say Thanet Borough Council’s website reported 6,001 Green votes, but the South East region count recorded 3,001 votes. This was later corrected on the Thanet website following Adrian’s enquiries. Which goes to show these things do need checking!

….
On your question, the suppliers have advised us that:

“The European Regional Returning Officers Managements System (ERROMS) application along with the application databases reside on high powered servers within defined security level segments.

All hardware devices within ERS’ live hosting environment are duplicated to facilitate a highly redundant and resilient network. Market leading security appliances at the perimeter provide rich stateful inspection of traffic flows protecting the web servers from malicious activity. A further layer of security has been added to the servers using Anti-Reconnaissance software. The web servers are load balanced to enhance performance, should one of the servers fail the other will automatically service the entire load until the offending device is returned back to its functioning state. The database servers are hosted within an isolated network forcing database requests to be inspected by the firewall a second time. All databases using live replication software are replicated to a secondary offsite server which provides redundancy and disaster recovery.

Databases are further protected with database level passwords and access-granting security features. Intrusion Detection and Prevention Systems detect suspected efforts at server intrusion. A 24×7 automated monitoring system using specially designed intrusion detection parameters detects and blocks attempts at security breaches. The system logs all intrusion attempts, and these logs can be preserved to aid in prosecution of attackers, should such action be warranted.

All servers have been hardened to remove any non-essential code and are subject to strict operating system security such as permissions and password access. The hosting network and Web Applications are scanned weekly to ensure our web sites, servers, and internet-connected devices are free of known vulnerabilities. It also determines whether our site passes the SANS Top 20 Internet Security Vulnerabilities list as defined by SANS, the FBI and FedCIRC.”

The key elements to reduce error include;
• Initial entry of  results are submitted twice to reduce keying errors and are only accepted when both sets of results match.
• Additionally, submitted data is emailed to provide an electronic paper trail that can be used for confirmation of data submitted by both the RRO and LRO’s
• Declaration of Local Results is generated from the system with results authorised by the RRO and can be checked by the LRO’s against local records to ensure that the submitted values are correct.

Effectively this means the submitted results by the LRO are checked 3 times before local declaration and will help eliminate the transposing of figurers received via phone/fax which has been experienced before.
There are now 6 regions using this. We wouldn’t be doing it unless we were satisfied that it was secure. The risk of transposing figures data is one of the reasons for moving away from the phone/  fax route, although that remains available as a contingency / fall back option.

Categories
voting

Germany rejects e-voting while Geneva ploughs on

I received two contrasting emails today. The first was Geneva's Chancellerie d'Etat confirming that a citizen referendum has approved the permanent use of Internet voting with a 70% majority. The email goes on to report that other Swiss cantons are also looking at adopting the technology sigh.

But don't worry, Germany brings good news. Ulrich Wiesner and his dad took the law permitting voting machines to the constitutional court, and won. Ulrich presented his work on this at ORG's February 2007 e-voting workshop (PowerPoint slides) but the details on the court result aren't available online in English yet. Rop Gonggrijp (Dutch e-voting activist), summarised the result as:

Today the court ruled that the German “Bundeswahlgeraeteverordnung”,
the law that deals with voting machines, is unconstitutional and void.
Much more importantly, they gave German citizens the constitutional
right to see al phases of the voting process (in its entirety) happen
before their very eyes. They strongly rejected the notion that
'delegated trust' can ever be a replacement for trust that comes from
(the possibility of) direct observation or that observers can be
required to posess any kind of specialised technical knowledge.

Whilst the ruling is specific to the German constitution it's yet another country turning away from e-voting. What will it take for the British government to rule out e-voting for the foreseeable future?

The judgement in German: http://www.bundesverfassungsgericht.de/entscheidungen/cs20090303_2bvc000307.html
Very rough translation: http://bit.ly/MISi

UPDATE: Official press release from the court, in English, thanks to Ulrich Wiesner for the pointer.

Categories
voting

No hack detected does not mean unhackable

USA Today recently reported that Estonia has passed legislation to allow for mobile phone voting in their 2011 parliamentary elections. This is a very worrying development as Estonia’s previous electronic elections lacked proper scrutiny in my view.

 

The article quotes officials who ‘dismissed security concerns’ and stated that the 2007 elections ‘proved secure despite worries’. Nothing was proved secure… nobody was provably caught hacking. That does not mean that the system wasn’t or can’t be hacked. What it means is that either the attack was undetectable OR holes were exploited that time around.

 

Every system has vulnerabilities, these can be managed, fortified and monitored. When people claim absolute security they either don’t know what they are doing or they are being dishonest. Neither is what you want in people running elections.

 

 

UPDATE: Dan Wallach has a good, more technical critique of this news in Estonia.

 

Categories
voting

Pre-Nov 4th e-voting roundup

Comment and speculation around the US voting system is quickly reaching fever pitch. I really fear for election day, I hope we don't see any disasters which undermine the result or even prevent it being declared. However I fear that is what we will indeed see. Regardless everyone needs to work in a spirit of openness to make sure all problems are understood and resolved in the fairest way possible. Such an attitude isn't on show in my first link…

  • Russell Michaels and Simon Ardizzone, the producers/directors of “Hacking Democracy” have produced an excellent new, short documentary highlighing some more of the serious problems in the US electoral system, particularly in Florida. For the first time they show how any election administrator can manually alter the vote in the Premier (aka Diebold) GEMS system. Part 1 and Part 2 are on YouTube. I believe a Hacking Democracy DVD is now available too.

  • There is now an iPhone application 'Twitter VoteReport' to help you report problems on polling day. It's a great idea to increase the number and consistency of reports. via TUAW

  • I recently participated in a short radio interview for PRI's “The World” on e-voting around the world. You can listen online here

  • I've found Barack Obama's online campaigning insprirational, though I certainly don't agree with all of his politics, there's plenty to admire. His story is a remarkable one, as is his campaign's purchase of air time for a 30 minute television programme on the major US networks. Unimaginable for us Europeans really. You can watch what the money went on via YouTube.

  • It wasn't a surprise, but Michael Wills MP has confirmed that there wil be no e-voting in the UK next year. My TheyWorkForYou alerts flagged this up as effectively as ever, and ORG have blogged it.

Categories
voting

E-voting update, October 08

  • I recently had the priviledge of being invited to participate in PressTV's Cinepolitics programme reviewing the US e-voting film, 'Uncounted'. The film struggles to make the pieces fit together, though there are some strong moments. If you haven't seen it then I would hands-down recommend 'Hacking Democracy' over 'Uncounted'. You can view the episode of Cinepolitics below:

Categories
voting

ORG 2008 e-counting report released!

The Open Rights Group have released their report on the 2008 London e-counting elections. The key finding is:

“…there is insufficient evidence available to allow independent observers to state reliably whether the results declared in the May 2008 elections for the Mayor of London and the London Assembly are an accurate representation of voters’ intentions.”

Once again voting technology has obscured the counting process and made it impossible for independent observers to have reasonable certainty in the results. A very expensive way to reduce confidence in our elections.

I was at the London count this year, as a Green Party counting agent, and everything in the report fits with what I noted.

Categories
voting

Another study agrees, our electoral system is vulnerable

Stuart Wilkes-Heeg's report “The Purity of Elections in the UK: Causes for Concern” [PDF download] has garnered some decent press coverage. Funded by the Joseph Rowntree Reform Trust (who also funded ORG's election observation mission in 2007), it's a good report which covers a broad number of areas in which our electoral system is weak (disclosure: I was interviewed by the report's author for their research).

A leader column in The Guardian, and a BBC News report both give the subjects a good airing. But it's so depressing to hear the same old 'maybe' response from the Government. They let this situation get to it's current appalling state whilst ignoring clear calls from The Electoral Commission and many other independent voices.

A clear, simple individual voter registration system based on diverse photo IDs (not the national ID card) is clearly what's needed — I just don't understand why the Government is running scared from this.

Categories
voting

How short term?

Michael Wills (Minister of State, Ministry of Justice):
There are no plans in the short term to extend the use of e-voting and e-counting to (i) local, (ii) European Parliament and (iii) general elections. (source)

How short term…?

Categories
voting

Disappointment over MoJ e-voting response

I was sorely disappointed by the Ministry of Justice’s response to the Electoral Commission’s evaluations of the May e-voting & e-counting pilots in England (which implicitly addressed the ORG report on the elections which was formally submitted to both bodies).

Given past form it wasn’t an enormous surprise that the government failed to take on most of the lessons the disastrous May pilots offered up to them. As I’m knee deep in the Regency By-Election campaign ORG’s Chief Commandant par excellence (aka Executive Director) has led the charge on the blog posts: Firstly Open Rights Group dismayed by Ministry of Justice response on e-voting which is a joy to read and then a quick one on the Scottish Affairs committee.

By the way, if you’re not a member of ORG, why not?! Join today

(Also if interest is the Kable report on all this.)

Categories
voting

The complexity of e-voting

It’€™s well known that I’€™m opposed to the introduction of e-voting and e-counting in the UK. This is fundamentally because the technology of today cannot deliver on the unique requirements of democratic elections. Elections require secrecy, accuracy, anonyminity and verifiability. This is an incredibly difficult combination of requirements to meet. Banks or online shops don’€™t meet all the requirements – while others may not know what you bought (secrecy) unlike voting your identity is known to the bank or vendor (anonyminity) so that they can deliver their services and check if you are a fraudster. By checking your bank statements you have an element of verifiability not available in voting.

While many very clever people are working hard on a variety of cryptographic solutions to these problem, I think they miss the point. I’m not saying that their work isn’€™t interesting or clever. It€’s just that their proposals are usually very complicated and hard to administer. The result is that they suffer from a lack of transparency as voters and candidates struggle to understand what is going on. Recent demonstrations of promising cryptographic election methods descended into farce when the inventors couldn’€™t administer their mock elections due to the complexity of the procedures.
I just can’t see any pressing, convincing reasons to be spending large sums of money and introducing new levels of risk to our voting systems by making them electronic. There are bigger, more important challanges such as climate change or caring for our aging population.

A hundred years from now there may well be a technology or a theoretical breakthrough which makes it trivial to implement e-voting that conforms to the requirements of secrecy, accuracy, anonyminity and verifiability. I can’€™t see such developments on the horizon, but I can’€™t rule them out. I very much doubt I’€™ll still be here in a century, but I rather do hope we’€™ll have been wise enough to focus our brightest on more pressing issues than just making our votes electronic.

(Cross-posted from Our Kingdom)