Software Improvements, who developed the original open sourced e-voting system for the Australian Capital Territory have decided to not provide future versions of the software under an open source license.
It seems like Software Improvements have woken up to the global market and don't want others profiting from their work. Once GPL'd is not always GPL'd in the future…
The BBC has reported on its site that more postal voting trials are 'possible' according to Local Government minister Nick Raynsford MP. The BBC article is essentially following up responses to a House of Commons report on the pilots.
The snappily titled 'Office of the Deputy Prime Minister: Housing, Planning, Local Government and the Regions Committee' published their seventh report specifically on the matter of all-postal votes. It's a good report which makes excellent recommendations to improve the security of postal ballots. In particular the report recommends the voter registration is tied to the individual and not the household in future. This would allow a pass code to be written onto identity slips and checked electronically during counting.
They also recognise the pressure for postal voting is due to desires to boost turnout. Yet they conclude that 'the Government must not rely on changes in the electoral system to increase voter turnout, they must also ensure engagement of electors in politics.' Good stuff.
Joe Kiniry from the Nijmegen Institute for Computing and Information Science has put a short paper online about the current status of e-voting in The Netherlands.
An excellent comment piece in yesterday's Guardian by Prof. Justin Lewis highlights the paradox of declining terrorist attacks amidst ever growing media coverage of terrorism. Unfortunately the online version doesn't have the little graph that accompanied the print piece but it's still worth a read.
Of course media coverage is never going to be simplistically correlated to how often something occurs. Nevertheless Prof. Lewis' piece is useful in reigning in an excitable media stuffed with 'terrorism analysts' whilst also calming governments who are getting themselves in a sweat over the matter. Yes terrorism is an important and real threat, but so is global warming, and the greenhouse effect has more predictable risks than fevered imaginings of terrorist plots.
I got a quote in an e-voting article by the Wall Street Journal Europe this week. For this article I'm quoted as being a political scientist. Odd, I never told the journalist this and it says nothing of the kind on this site. I've been told that maybe I should have been a political scientist but those bits of paper my universities gave me show otherwise. Ah well 🙂
I can't link to the article as it's for subscribers only, but here are the details, it's a nice summary of the European situation:
“In Most of Europe, Electronic Voting Loses Out to Paper Ballots — Pilot Programs and Tests Are Run, but Reliability And Security Are Concerns”
By John Miller – Dow Jones Newswires
26 July 2004
The Wall Street Journal Europe
VoxPolitics' James Crabtree has a new article discussing MPs' use of the Internet over the last ten years. Like many James had high hopes for the Internet's role in politics. But most politicians just aren't getting it. The article notes the relatively low levels of resources MPs have when compared to their US equivalents. True enough and Parliament's actual modes of working are antiquated: Richard Allan MP often complains that his days are structured in a way to prevent him doing the things he wants to!
Still the article ends on a hopeful note… A new generation of MPs might be more open to using the Internet to its full potential. I certainly hope so. In the mean time we can work on fine tuning the tools and the online political environment. We'll be ready when the MPs are!
Sony has always had a bit of a weird ability to create technically strong hardware that sports arcane interfaces. Their products have usually revelled in names only a geek could love whilst being shrouded in attractive casings.
Enter the 'Network Walkman NW-HD1' Sony's proposed iPod killer. Problem is that the Network Walkman is looking like a big flop before it's even available in stores. Sony have over-hyped the device's capabilities, botched the interface, made poor technical decisions (forcing users to convert music to ATRAC3) and been slow to market. In the meantime Apple have been able to release a new version of the iPod with a higher battery life, even slicker interface and introduce a price cut. This leaves Sony as an expensive late-comer to the digital music player.
Poor old Sony can't even agree who should be making digital music devices, the Walkman group or the Vaio group so we will be treated to an even more expensive Vaio player from Sony later in the year.
Apple probably can't believe their luck. Read the whole WSJ review on Sony's sorry little music player here.
A naive little article shows how the Indians are trying to sell their e-voting system into the United States. But they're disappointed not to have had any buyers afters doing some demos. Folks, the purchase process for e-voting machines in the US is long, slow and involves many lunches! Still one of the Indian manufacturers is quoted as saying that their system is 'tamper-proof' so they've got their marketing right for the US market!
I cracked… I couldn't resist any longer and I dove into the iTunes Music Store UK. I can't deny that my first five purchases are an odd selection. But that's part of the fun with the store, you end up in musical places you wouldn't suspect.
Overall it's a remarkably smooth experience. I've had a few glitches in terms of trying to access pages on the store probably because it's so busy. Yes there's lots of stuff I'd like to see online, but I'm sure they'll get there.
What I really miss is user reviews though… I found myself with a Safari window open to Amazon UK so that I could read reviews of albums as I browsed. I'm not sure why Apple chose not to include user reviews in the store… maybe it's coming or maybe they just don't want negative views to be put online next to their wares.
Let's face it though… Apple have made the music industry's massive vaporware (easy digital music) come true. We can probably thank WebObjects and the savvy realisation that iTunes was a better interface than the web browser for music buying for this new way of spending our money!
The Register recently published two articles by Thomas C Greene examining e-voting security. Unfortunately the pieces are rather flawed. The first, “E-voting security: looking good on paper?” examines paper based voter verifiable audit trails (VVAT). The article doesn’t start well:
The voter’s paper receipt has become the security idee fixe of DRE skeptics, and a shibboleth identifying those who are on the ‘right’ side of the debate.
This is not true in two ways… Firstly, the potentially paper token used in VVAT is not a receipt! A receipt is something you can take with you to prove a transaction occurred. If VVAT did mean using a receipt then we’d be allowing vote selling. But we don’t mean a receipt, we mean a paper ballot which is left in the polling station. Secondly, paper trails are not an ‘idée fixe’ for e-voting skeptics, both David Dill’s US resolution on VVAT and our European resolution are carefully worded to not imply paper. The resolutions support any form of voter verifiable audit trail that meets the requirements set out, it’s just that right now the best example uses paper.
Now that I’ve cleared up those two points let us proceed to some of his other assertions in the first article…
People imagine that, so long as the printout matches their recollection of votes cast, it’s proof that the DRE machine is recording their votes properly. In fact, it’s no such thing. It’s proof only that the printer is recording their votes accurately.
I’ve never ever heard anyone claim that a printout proves that the DRE machine is accurately recording their vote. Greene presents an obvious statement as insight. The whole point of VVAT is that we can never be sure of what the DRE machines are doing with our votes, hence the need for a second channel.
The receipt has no immediate diagnostic value. It can only tell a voter whether the data sent to the printer is the same data he recalls entering at the touch screen. The machine could well be rigged for a miscount, only with voter choices printed accurately. This sort of discrepancy would not be discovered until the electronic results are tabulated, by which time the damage will have been done.
Again statement of the obvious – of course the machine could show/print one thing to voters while store another. This is why VVAT is needed and electronic results cannot be trusted! Yet such arguments, logically correct whilst missing the point, get echoed by people such as VoteHere’s highly competent founder Jim Adler.
The only useful purpose of the paper trail would be to enable a recount using a different medium when there is reason to suspect the electronic results. However, for the printouts to be of any value in a recount, voters would have to review them carefully and note any discrepancies before the receipts are collected.
Similarly in a blog post Jim Adler refers to his 64 year old mother wondering over what happens if she doesn’t check the paper ballot in a VVAT process. In other words he argues that VVAT doesn’t prove the accuracy of machine results or the accuracy of paper for recount as neither is checked if the voter doesn’t look at the paper. Furthermore Adler’s mother could testify in court that she didn’t look at paper so it can’t be trusted for a recount. But I say people could equally testify that they didn’t check electronic verification codes proposed by Adler’s company, thereby making the counting of electronic votes invalid.
Of course if all voters did not check their printouts then we could not have much confidence that the paper accurately recorded the voters’ intent. However, as Fergal Daly from Irish Citizens for Trustworthy E-voting writes in a letter to The Register (“Letters: We want our e-voting paper trail”), it would take only a small percentage of voters to check their printout to make the probability of fraud going undetected in an election vanishingly small. Of course some won’t check, but you can bet many will, particularly if it’s made clear that in a recount the paper result is the legally binding one.
Furthermore, there is no guarantee that the paper record will be the one recounted.
This is where legislation needs to be changed. Greene argues that under current legislation recounts would have to be done in the same manner as the original election and that there would be no mandate to hold the paper result over the electronic result. All VVAT campaigners are asking for changes in legislation and electoral procedures to accompany VVAT. In most countries, including the UK, legislative changes will be necessary before any form of e-voting can be used in a general election. Such legislation will need to give the paper trail (if used) primacy, procedures will need to be modified and it must be made clear that there will be a high chance of the VVAT being counted. Thus not only if there are doubts over a result or the result is particularly close, but a significant random number of constituencies must recount no matter what. This significantly increases the chances of fraud being detected.
In his second article, “E-voting security: getting it right”, Greene summarised his first piece with the following:
The much-celebrated voter verifiable paper trail is useless as a security measure for Direct Recording Electronic (DRE) election systems, and actually introduces far more problems than it solves.
A strong claim which I don’t believe he actually backs up in the article. Anyway let us proceed to his second piece. He begins by acknowledging the less than satisfactory approaches most e-voting vendors have taken to developing and testing their products. Yet when Greene comes to providing remedies he seems to be rather naive:
Guarding against post-certification tampering [of source code] would be a simple matter. First, as soon as certification is complete, checksums of all software components, compilers included, would be recorded, and then verified later, on election day before the machines are put to use. Any machine with the wrong checksums would be pulled.
There are several issues here but it is by no means ‘a simple matter’. Yes checksums can be generated, but will ordinary voters trust them? Checksums are not infallible and how can voters trust that they are properly verified? There is a significant amount of code on your average DRE… the voting system, the user interface (including audio files, device drivers for sound output & touchscreens) as well as the operating system (which can be a behemoth like Windows 2000). That’s a lot to checksum and keep tabs on. But what happens when there is an update to any one of those components, especially if it’s time critical? Are checksums going to protect the system integrity? No. The reality is that under the pressure of election day most polling workers will ignore a checksum which doesn’t verify.
Credit where credit us due though… Greene is right on the money when he recommends improving the physical security surrounding elections and e-voting hardware. His recommendations in this area are good but costly. Then things get worse again…
It is crucial that there be an independent testing and certification authority, and that it be in possession of all source code, compilers and firmware, to verify that the equipment works properly, and to guard against vendor backdoors and default admin passwords, etc.
While independent testing is crucial we cannot assume, as Greene seems to, that cerification always catches holes. As Chris Soghoian and Avi Rubin argue, who tests the testing authorities?
Later on in his article Greene suggests that terminals use ‘cryptographically protected’ hard disks to store votes as a backup for recounts. Not only would using hard disks for vote storage create logistical issues if the main storage is removable flash memory, but it misses the point. A hard disk would not be a second independent channel as VVAT could be. The hard disk would be a copy of the existing electronic channel which would still be counted with the same electronic algorithm. Thus recounts would only differ if a bug or hardware failure prevented the same electronic votes getting to all digital storage media used.
Greene also weighs in on the topic of logging:
Most importantly, all database activity should be logged, and the access logs and system logs should be audited before an election is certified.
…
The terminals must be capable of extensive access and system logging, and logs must be audited when a machine is suspect or malfunctions
Logs are an important part of catching attacks. They help prevent the worse case scenario of an undetected successful compromise of a system. But what about voter secrecy? The unique challenge with e-voting, a challenge Greene never acknowledges, is that votes must be secure, accurate and anonymous. This makes electronic voting unlike most other electronic transactions. Thus we cannot just apply the ‘usual’ techniques to e-voting without thought. Detailed logs, useful from a security and audit perspective, may well undermine the secrecy of a ballot and so must be implemented with great care.
Greene mentions an ‘elections database’in his second article without ever clarifying what this is, the electoral register, the place storing cast votes or what?
His checklist of 12 things that could be done to secure elections is not too bad. Though again it just doesn’t acknowledge the unique challenges e-voting presents.
Greene’s conclusion is worth repeating in full…
Quality elections don’t come cheap
It isn’t necessary for the vendors to re-design their equipment radically. Indeed, all that’s needed is for the public to demand that they do what they do, only the right way. “Good enough” simply isn’t good enough; the system has got to be right.
Basic security and common sense are all that’s required. The DRE systems offer many real advantages in terms of preventing overvoting, minimizing undervoting, clearly recording voter intent, and offering handicapped access. They can improve the accuracy of election results dramatically, and extend voter franchise, so long as they’re built right, certified right, and secured properly.
At the moment they’re not, but they can be.
Doing it right will not be difficult, though it will be expensive, and the vendors will whine at demands that they make their systems reasonably secure. However, we shouldn’t balk at a system that’s expensive and good, considering what’s at stake here. At the moment, the systems are expensive and lousy, which forms the basis of the vendors’ profits. Under a proper regulatory regime, they will have to earn their money; they will have to work for it. They won’t like it very much, but they’ll get over it in time.
Surely the public deserves to vote on equipment that’s at least as reliable as a video poker machine.
Yes the public deserve to vote on reliable, secure and accurate systems, if such systems must be used. But doing e-voting ‘right’ will be difficult AND expensive.
In his letter to The Register Fergal Daly, acknowledges the fact that us campaigners know that DRE+VVAT sucks, but it’s better than DRE. Greene attacks DRE+VVAT when we know it isn’t ideal. Still most of Greene’s arguments land wide of the mark. Whenever I make a presentation to promote VVAT I conclude by saying “If adding VVAT in the form of a paper trail to an e-voting system sounds expensive and complicated, that’s because it is. But it’s the best way to fix a broken system. Ideally we’ll never get these expensive systems that have few benefits yet many risks. My preferred system is pencil and paper, it works!”
Jason Kitcat 