Jason Kitcat

Emilis Dambauskas reports that the President, Parliament and Electoral Commission are all pushing hard for the use of Internet Voting in the next possible election. They are rather weakly claiming as justification the growth of the Internet, EU e-government obligations (no! voting isn't government, it's democracy) and also Council of Europe work on e-voting.

The proposed model is Internet only, seemingly inspired by past Estonian pilots. But because Lithuania does not have an e-signature infrastructure banking authentication systems are being proposed for voter authentication. This is wrong on so many levels: Are people without bank accounts at a disadvantage? Are people working for banks going to have access to privileged information? Will bank worked be able to create new authentication credentials?

Emilis, who works for a bank, has been an election worker and is also a coder noticed the announcement and has got some press coverage for those opposed to Internet voting. He published a paper on his site, which he summarised in English as:

In my paper I state 4 main concerns:

1. Citizens will not be sure if the election results are legal, because “experts” will be used instead of ordinary spectators (which can be anyone)
2. One of the main cornerstones of democracy will become dependent on big business (usually foreign capital) and IT expert influence
3. It would be easier to do election fraud
4. There will appear a big risk of disclosing information on how people voted (which should be secret under our Constitution).

I support these concerns with 4 main groups of arguments:

1. System based on advanced technology will never be understandable and transparent enough for the great majority of Lithuanian people
2. A centralized system is in essence less secure than the current decentralized (we have 2000 voting districts with 400 – 6000 voters in them).
3. The system described in the concept is not secure, because: a. the voter votes at home, and there can be both influence with force, or bribery b. the security of the voters computer (think Windows viruses, trojans, botnets) is not taken into account c. bank personell can sell identification date to interested parties (that would definately be a crime, but very hard to trace — I support it by also stating that I currently work at a bank) d. the SSL certificate for the i. voting server would be either issued by foreign company (like Verisign), or not supported on users computers (Aidas Kasparas http://kasparas.net/, though he is in favour of i. voting helped me with this argument — he's a real expert of networking and server administration) e. noone can really guarrant total security of the i. voting server (think about hidden virtual machines underneath the OS, hardware that secretly copies data and so on) — that would be James Bond difficult, but if you can own a country by doing that it surely pays off.
4. I stress that goverment institutions most probably don't have enough technology competence for such a project (I point to the mistake with private and public keys in the concept, approved by both NEC and the parliament; I also use the examples of Diebold in USA and the Dutch hack of the voting machines)

I do hope Emilis and others succeed in bringing some sense to those pushing for Internet Voting in Lithuania. The Internet isn't well suited for voting, but it is for collaborating so I know that throughout Europe activists will be supporting each other as issues like this arise.

With build-up to the 2007 pilots in full sway, I've been looking over details from the 2003 pilots. A few days ago, when fixing a link, a small error in an Electoral Commission table briefly caught my eye. I assumed I had copied it down wrong and went on to something else.

But when someone asked me to send them a link to my 2003 turnout analysis I checked the table again. I had copied the table correctly, one number had been calculated incorrectly. So I checked a few more… only to find that the change in turnout had been calculated incorrectly for 4 of the remote e-voting pilots and 1 of the kiosk pilots. The errors had, overall, made the drop in turnout appear smaller than it was.

Being the curious sort I then tried to find some source figures for the turnout figures used, just to check these were correct. The best source I could find were the Electoral Commission's local authority-specific pilot reports. And what can I say… 12 out of 13 remote pilots had figures which were either slightly or very different. Ipswich was the worst change with the change in turnout going from -0.3% to -7.01% with the new figures. Some changes are due to rounding of some numbers, but not something like Ipswich.

Overall, for remote e-voting pilots, the new figures resulted in a 23.9% fall in the average turnout from -0.71% using the published changes to -0.88%.

See all the figures and more in my updated 2003 turnout analysis

The Independent and The Guardian are both reporting on how an at least partial recount of the Italian general election will be started in January.

Controversy first began when Berlusconi claimed rigging had cost him the election and it seemed like he might refuse to concede to Romano Prodi. The Italian legal system confirmed Prodi's coalition as the winners by around 27,000 votes. Hence the new Italian president, Giorgio Napolitano, let Prodi form a government.

Then left-wing journalists released a DVD included with a magazine which alleged that Berlusconi had rigged the election using expertise from the USA (a new American export?) to change results during the electronic collation of regional results. In particular the number of blank (spoiled) ballots shows discrepancies when compared with the number and distributions seen in previous elections.

So the Senate elections committee has ordered a sample to be recounted. The Guardian reports that 700,000 ballots will be re-examined but that the process will not be completed until the end of Mr Prodi's term in 2011 – can it really take that long?

In the meantime, as previously noted, Italy has ruled out the further use of e-voting machines in elections.

The US National Institute of Standards & Technology (NIST) has a long history of examining voting technology dating back to Roy Saltman’s important reports highlighting the problems with punch-card ballots onwards.

At the moment NIST are working in helping to develop future voting standards for the US Election Assistance Commission.

A recent technical paper written as part of this process has been put on their site. The paper states that:

“NIST does not know how to write testable requirements to make DREs secure, and NIST’s recommendation to the [committee] is that the DRE [Direct Recording Electronic voting machine] in practical terms cannot be made secure.”

The paper takes an interesting approach to examining voting system accuracy using a concept of ‘Software-Independence in Voting Systems’. Their definition:

“A voting system is software-independent if a previously undetected change or error in its software cannot cause an undetectable change or error in an election outcome.”

I think this is a helpful concept for thinking about voting systems as it requires that a system’s accuracy can be checked, such as through a voter verifiable paper trail. As I’ve mentioned before, bolting a paper trail onto an electronic voting machine is less than ideal and creates a whole range of possible problems particularly in terms of usability. But given the situation in the US it was an understandable fix to ask for, certainly much better than having just touchscreens with no audit trail at all.

The paper identifies three readily available software-independent systems:

1. Optical scanner using manually marked paper ballots
2. Optical scanner using an electronic ballot marker which can produce a richer user interface for accessibility and alternative languages
3. Electronic voting machines with a voter-verifiable paper audit trail.

I have reservations about the security of optical scanners but they have the obvious benefit of providing a voter verified ballot for recounts and audits. The authors of the paper seem to have major doubts about option 3 but put much of the debate beyond the scope of their work.

This paper is a useful contribution, their views on the problems with voting machines confirm those of the computer security community who have been working for years to make the failings of e-voting clear to all.

Read the paper [PDF]

More about this:
InternetNews
Brad Blog
Ed Felten
Associated Press

(via The Open Rights Group)

The Italian Minister of the Interior, Giulano Amato has announced that following pilots the government has decided not to pursue electronic voting any further.

“We decided to stop the electronic voting machine […] During the 2006 elections we experimented with the machines as a voting system, and not a system that counts the sections, without any reference to the legally valid votes. Now that we arrived at the point in which we decide to continue, passing from the experimental phase to the implementation, using the machines for the counting as well, it is obvious: we decided to stop. It is a suggestion that came from the ministerial offices, I presented it to Prodi expressing my opinion as well, the Premier agreed. It will be the triumph of our ancestors, but for someone of my generation it isn't unpleasant either. Let's stick to voting and counting physically because less easy to falsify” (Source)

This is fantastic news for Italians and for all of us around the world trying to prevent the introduction of e-voting. In the space of a month the Canadian province of Quebec has introduced an indefinite moratorium on e-voting, the Netherlands have withdrawn all of a specific model e-voting machine and now Italy have called a halt to e-voting. Is the tide turning?

Following up on the earlier claims that the Italian general election could have been rigged, the journalists behind the allegations are now being investigated for publishing false information. Whether the allegations themselves are being properly investigated isn't clear – there seems to be a lot of recrimination at the moment and little in the way of facts.

(Thanks to Emanuele and The Open Rights Group for the links)

Very recently someone called Daniel Gray has appeared online with a new blog filled with views that are strongly pro electronic voting.

Rather than attempt a rebuttal in the rather limited commenting system Blogger provides I'm posting in full here. I welcome the opportunity for debate, but I think it would be helpful if Mr Gray was completely open, as I have been, about what his background and affiliations are. It will help us all to be clearer about our biases.

In False Sense of Security Mr Gray points out an error in GNU.FREE, the Internet voting software I originally designed and wrote. He's correct that the code doesn't do what it was intended to do as well as it could have done. Not a surprise as nobody ever claimed the software was perfect!

The issue involves securing the logging process, a key part of the audit trail for any e-voting system. When working on this I found that the better the audit trail, the easier I was making it for someone to infer how someone could have voted – there's a strong oppositional tension between audit and the secret ballot.

Anyone has been able to view this code online since 2000, yet this is the first time this problem has been pointed out, which rather shows how few people have the expertise and willingness to audit code.

But discussing a system which has been discontinued since 2002 is not really the key issue here. Mr Gray strongly disagrees with the arguments being made against electronic voting methods. I'm going to tackle them head-on in this one post.

Mr Gray is conflicted about the role of voter trust. In one comment he writes:

As to the issue of voter trust, voters know that they aren't qualified to understand if something is trustworthy. They'll take the word of someone trustworthy who has inspected and certified the system.

Yet in an earlier post about the Single Transferrable Vote system Mr Gray argues that until the rather involved counting process can be made significantly easier for voters to understand STV is, in his view, unlikely to be adopted in the UK or trusted by voters.

Which is it? Voters need to understand a voting system themselves to trust it, or not? In my view voting is an important collective societal act which must be open for all to participate, understand and trust.

Mr Gray commented on the Wired News article I had previously noted. It's very interesting that I perceived the article as being pro-evoting whereas Mr Gray saw it as being about the problems with e-voting.

As a protection from client-end problems Mr Gray cites the old CESG e-voting model system from the 2002 CESG e-voting Security Study. I cannot see how voters will trust their vote to entering an apparently random number which is connected to their candidate choice somewhere. Indeed, because the candidate numbers are unique to that voter then voters will worry that their vote will be more easily traceable than before.

The CESG model also will create a tempting target where all the candidate numbers and voter identities are linked so that votes can be decoded for counting. Instead of changing individual digital ballots, why not attack this list?

I am glad that Mr Gray does see that vote selling and coercion are real risks with remote e-voting. However allowing multiple votes per voter with only the last vote counting is not the easy solution to this problem. Everyone will know about this feature so attackers will not just watch someone vote and be happy with it. They will force someone to vote and then remove or destroy their voting credentials to prevent them voting again.

Mr Gray rails against the argument that vote tallies are just a number in a database which can be changed. He can't understand why people use this argument when vote tallies could be better secured. I tried in the comments, let me try again. The reason this argument persists is that despite supplier guarantees this hack has been shown to work again and again (e.g. Hacking Democracy).

I'm surprised that Mr Gray thinks that “checking that the certificated code is the code on a system is relatively straight-forward”. Given thousands upon thousands of machines (with polling station e-voting) and tens if not hundreds of servers (for remote e-voting) it is not at all easy to verify, in a way that voters will trust, that every single byte on every bit of hard disk, ROM and flash memory is as was certified. And what if whatever method used can be fooled or if certification does not catch all potential problems?

Microsoft have a market capitalisation of $289.80 Billion and have not been able to convincingly resolve the security issues in their software after many years of work. The UK budget for certifying and checking e-voting will be a fraction of whatever Microsoft has to spend – what chance is there that the checks will even approach comprehensiveness?

Mr Gray has “faith and trust in our ability to pull together such systems.” I don't know who 'we' is in his case, but he assures us that “the very best brains and technology are being put behind this problem”. Judged by whom exactly?

Because I personally haven't written weapons guidance or banking software Mr Gray doesn't feel that I have the right to participate in the e-voting debate. Well the Minister responsible, Bridget Prentice, hasn't either – should she step aside also? GNU.FREE may be of poor quality in Mr Gray's opinion (though we don't know his qualifications or affiliations) but he's been open to contribute improvements to it. Award-winning GNU.FREE was reviewed by a number of people over the years whose comments were openly integrated into the documentation still available online.

Mr Gray ignored one of my favourite quotes by Bruce Schneier the first time I used it in a comment, which was a shame considering that Bruce Schneier is linked to from his blogroll. But Bruce has a point and he knows far more about security than I ever will:

“Building a secure Internet-based voting system is a very hard problem, harder than all the other computer security problems we've attempted and failed at. I believe that the risks to democacy are too great to attempt it.” (Source)

I asked Mr Gray why we need electronic voting. He wrote:

Verification scales significatly better in an electronic system, could you imagine if all the millions of voters demanded to check that their ballot was counted correctly? How much judicial and local authority time would be eaten by that?

Mr Gray confuses individual and group verifiability. With a truly secret ballot a voter cannot follow their particular vote all the way through the count. But collectively we can follow our ballots, scrutinise the telling process and make sure they are counted accurately.

Mr Gray also has a go at the arguments made by an Italian e-voting campaign website. He disagrees with the statement that “computer procedures are not verifiable by humans as we are not equipped for verifying operations occurring within an electronic machine.”

We cannot see electrons, thus we never can directly verify the operations of a computer. What we attempt to verify is what the computer reports to us. Verification tests are not done during elections but before or after. So we do not verify the actual election itself if it is electronicly voted and/or counted. It is fairly trivial to have a system do one thing during testing and another during a live election. Testing does not prove that a system is without flaws. All it shows is that during the tests, the system responds as expected. The system could behave differently during a live election because it is programmed to do so or because there are conditions and factors which have not been accounted for in the tests.

Mr Gray goes on to argue that e-voting systems aren't black boxes because you can see the source code. Well, with the exception of GNU.FREE and the source code leaks in the US, as an ordinary voter you can't see the code. As I covered in LinuxUser, the UK government appeared to offer open source code but then retracted this saying it was a mistake. So if we can't see the source how on earth can e-voting systems be claimed not to be black boxes?

Mr Gray continues:

People expect, in our technology based society, to be able to vote electronically.

I don't believe this statement to be true, my previous blog post addresses this. McGaley and Gibson's recent paper also shows how a little bit of informed debate changes people's views:

In the absence of controversy, surveys of voter attitudes usually reflect satisfaction and trust […] When concerns are raised by experts and in the media, however, public opinion can change dramatically. For example: in Ireland in 2003 a survey by Amarach Consulting found that a majority of Irish citizens were in favour of the introduction of e-voting. Less than a year later, after controversy over the system had led to the establishment of the Commission on Electronic Voting, a Red C survey found that 58% of respondents felt that “…the [e-voting] proposal should be scrapped until such time as a paper back-up is incorporated into the system…” and “one third of all voters were unconvinced that their choices will be registered properly”. (Source)

David Wilcox's recent video clip of my arguing against e-voting really didn't sit well with Mr Gray. My citing sunspots as a potential risk to e-voting systems was tough for Mr Gray to swallow. Yet the risks they pose are well known, some example problems include the Toronto Stock Exchange halting trading for 3 hours. Unsurprisingly Mr Gray wields the idea of backups, but as this ACM column argues, disaster/failure recovery is rather harder than we might sometimes imagine.

Mr Gray then takes two approaches in countering my views. Firstly he points out that there are flaws in the paper ballot system. This is a rather old distraction tactic, I have not once said that our current system is perfect or infallible – there are quite a few improvements I can think of. The difference between paper and electronic votes is that the scale of electronic votes can be much greater than ever before possible.

We're talking about e-voting, not paper voting, and in response to several of the risks I raise Mr Gray's answer is to repeat the undefined catch-all phrase 'secure hosting facility'. Any hosting facility has people working there to service the machines, so potentially they could be bribed or influenced. But even if, implausibly, the facility itself is utterly impregnable, these servers need to be accessible to the outside world so electronically attackers will have a way in. Of course a properly secured hosting facility would be important but it really doesn't address the fundamental issues with e-voting: secrecy of the vote, auditability and trust.

A clarification is needed as Mr Gray claims I'm opposed to postal votes. I am opposed to blanket all-postal elections. With a well-constructed application process and clear criteria for applicability, I support allowing postal votes on application.

It's important to remember the distributed nature of paper-based elections. Logistically it is very hard to undetectably change a significant number of paper votes in any one place let alone across the country. Electronic voting procedures offer remote access to voting systems and centralised sweet-spot targets. Indeed it was when all the votes came together to be electronically tabulated in the Ministery of Interior that manipulations are alleged to have occurred in the Italian general election.

I'm not the “be all and end all of knowledge in computing” as Mr Gray thinks I see myself. I hope I've never come across that way, I'm just trying to put forward my views and that of many academics, politicians, technologists and citizens.

“Well good luck Mr Kitcat, because neither the Government, the public nor Local Authorities are listening.”

There's nothing like a challenge, eh?

• Election Problems, What Election Problems?
  USA: Bo Lipari from New Yorkers for Verified Voting provides some more pieces to the puzzle of the odd and low-key way in which voting technology problems are usually reported. Bo also has an interesting post comparing voting systems with the space shuttle

• Some recent election results unresolved — or unresolvable?
  USA: Peter G Neumann (whose writings should be compulsory reading on all Computer Science courses) summarises the 5 U.S. House races still unresolved two whole weeks after the mid-term elections.

• Berlusconi's party tried to rig April elections
  Italy: The BBC reports allegations in a DVD that counting software was used to change blank (spoiled) ballots to votes for Berlusconi. Mr Emanuele Lombardi, one of Italy's leading voices against e-voting, emailed me to say that he thought if fraud had occurred it would have been during the data collection stage when tallies were sent to the Ministry of Interior, not the count itself. He reports that the DVD alleges:

  1) blank ballots were about a million less than what expected by exit polls (and previous elections)
  2) Berlusconi had about a million votes more than what exit polls expected.
  3) The above were the only mistakes made by exit polls. In fact they correctely foresaw the electoral results of all the other parties.

• We have been warned: democracy can be hacked
  UK: The official e-democracy'06 videoblogger, David Wilcox has juxtapositioned a clip of Russell Michaels, co-director of HBO's Hacking Democracy along with a clip of me making for a rather powerful post (if I do say so myself!)