Electronic Voting Doesn’t work

Originally published Autumn 2003 in BallotBox, the newsletter of the Electoral Reform Society

Ever since George W. Bush’s bizarre ascension to the Presidency of the United States of America the world of voting has gained a new impetus
and increased publicity. While the use of modern technology in voting dates back at least a century, the advent of new possibilities such as a
electronic kiosk, telephone and Internet voting all have opened a debate that reaches far beyond the hanging chad.

Indeed it was Florida 2000 which finally changed me from being an e-voting champion to a firm sceptic. As Greg Palast documented for BBC Newsnight, The Guardian and in his book “The Best Democracy Money
Can Buy” the technology for managing voter identification was used as a smokescreen by Republicans to exclude around 50,000 citizens who were
highly likely to vote Democrat. This massive fraud, along with many other problems I had encountered during my research, showed that no matter
how many clever technical fixes are in place technology obscures and obfuscates the operations of an election creating massive opportunity for
fraud. I like to use Arthur C Clarke’s aphorism that “any technology sufficiently advanced is indistinguishable from magic” to explain how most
voters, candidates, electoral officers and observers just accept computers and aren’t able to challenge what they report as the results.

In the limited space available I’m going to outline a few of the key problems and briefly touch on what the recent local council election pilots
have shown us. I will avoid as much technical discussion as possible, however a fuller exploration of the arguments for and against e-voting can be
found at http://www.free-project.org/learn/

Fraud on a whole new scale

Electronic voting is difficult. Unlike electronic commerce where you tell the bank or shop your identity and they link all transactions to you, with
voting the system must be sure that you are a valid voter (who hasn’t already voted) but can’t explicitly attach your identity to your vote [1].
Nevertheless the system needs to be sure that every vote is unique, valid and secure. This is an incredibly tough problem.

As the ID card debate has shown, reliable identification is a tricky proposition. Any serious national identification system is bound to be
extremely costly and raises serious privacy concerns. Furthermore such a system (which is what we would need if national e-voting from home was
to become viable) would raise all sorts of technical problems such as how to make sure voters had the right device for reading the ID card on their
computer. Any computer user will know that installing hardware peripherals, finding drivers and making the darn things work can be somewhat of a
challenge. Multiplying this across all voters and every imaginable type of computer creates a technical support nightmare of unimaginable scale.
Even if whatever identification could be used without technical troubles there are excellent arguments for questioning whether we should trust
smartcards, biometrics or passwords – all are vulnerable, particularly when managing them for millions of voters.

Digital technology is so powerful due to the non-rival nature of digital artefacts which means that copying a music file or a vote, for example,
doesn’t take it away from the owner. Thus I can copy a file perfectly at virtually zero cost a million times while still holding the original file. The
implications for electronic voting are that, unlike with the logistical problems of dealing with piles of paper ballots, a digital fraud could alter not just
a handful of ballots in one polling station but a number large enough to actually significantly alter the outcome of an election, for a potentially lower
cost than a very small-scale fraud in our current system.

While such a large scale of fraud is in itself troubling, the problem becomes downright horrifying when one realises that, as the Electoral
Commission has admitted, there are little or no measures for detecting fraud. Not only are changing bits on a computer easier than altering physical
ballots but it is also easier to go undetected. We could quite easily have a situation whereby voters believe they have voted for Party A when in fact
the system stores a vote for Party B. The complexity of the technology is such that very few people understand it and so scrutiny of electronic votes
is essentially non-existent: The Electoral Commission’s recent report on the 2003 local election pilots commented on the lack of any checks to
ensure that suppliers were meeting the requirements set out by the Government. Thus the Office of the Deputy Prime Minister, the Office of the e-
Envoy and local election officers were all taking the suppliers’ word that systems were doing what they were supposed to do. None of the returning
officers, civil servants or candidates I have spoken to in relation to the pilots have had any understanding of computer security or the workings of the
electronic voting systems in question. Scrutiny… What scrutiny?

Of course the suppliers don’t make it easy for people to check their work – they claim commercial confidentiality and refuse to allow anyone to
view the workings of their systems. Thus we must trust them when they say that the system does accurately store votes and doesn’t alter the results
in any way. Even buying a system is no guarantee of access, the Irish government had to admit after a Freedom of Information request that they
didn’t actually have the source code (the fundamental workings of a computer program) to their new e-voting system, the supplier Powervote/NEDAP
had retained it. Similarly in the US voting suppliers have managed to overturn court orders granting access to their systems to investigate alleged
fraud by arguing commercial confidentiality.

A change of heart appeared to be in the air when, in front of an audience of election experts, suppliers and returning officers at a CIPFA e-voting
workshop, Angus Ward of major voting supplier ES&S offered to show me all their source code and system architecture. Subsequently he has failed to
respond to all requests for me to take him up on this generous offer. But even if suppliers did open up their systems we have the problem that there
only 5 or 10 people in the entire world who are independent and know enough about voting, computer security and programming to analyse any
opened systems. Of course we are still faced with the issue of how to verify that the system being analysed is the one actually used in the live voting
system and how to deal with last minute changes or fixes which are so common in the computer industry. For the time being voting systems remain
a black box where voters push a button on one end and a result comes out at the other, with no guarantee that input is related to output.

Electronic voting presents a situation where undetectable fraud on an unimaginable scale becomes possible. The proposed benefits of increased
convenience and modernity hardly seem worth such a risk. Electronic voting companies used to sell reduced costs as their key benefit but, as we
shall see, they sensibly retired such arguments.

The Pilots

The Electoral Commission’s reports of the pilots [2] were extensive and on the whole fairly accurate, though they underplayed the number and
scale of problems experienced. Nevertheless they admitted the lack of any formal measures to ensure that the requirements set out by the various
government departments responsible were actually met by the suppliers. In several cases there was insufficient provision of backup systems, laptop
computers and Internet access affecting the operation of the elections. Testing was found to be insufficient, if it occurred at all, and was poorly
documented. Furthermore there was a negligible impact on turnout, as the ERS also found in our report on the pilots.

But the cost of these pilots was truly gob smacking… for the Sheffield pilot the cost was at least £55 per e-vote though the Commission
acknowledged that this figure was probably higher in reality as much of the spending hadn’t been accounted for in enough detail to incorporate into
the quoted figure. Furthermore I have been informed that several of the suppliers did not charge the true costs they incurred to the government as
they were keen to ensure that they kept their positions in the nascent e-voting market. They had also underestimated many of the expenses they
incurred when they made their bids during the procurement process, a process that was heavily criticised by all those involved.

The Commission’s own understated reports on the pilots show that the government does not seem able to manage technology projects and
suppliers. Furthermore after years of pilots around the world the benefits of e-voting remain hard to identify but the risks are all too apparent as are
the vast costs to taxpayers.

Conclusion

By exploring the problems with e-voting systems I am not denying that there is plenty of room for improvement within the existing voting
system. However I do not see the failings in the current procedures as a valid argument for justifying the introduction of a whole new system which
opens the door to wide-scale undetectable fraud while costing the tax payer vast sums of money. The risks simply do not outweigh the benefits.

[1] While UK law currently has non-anonymous votes (with the help of a court order) in all likelihood we will be moving to a completely secret
ballot very soon as the current procedure breaches at least one treaty commitment along with the EU Human Rights Bill.
[2] The reports are available for download from here.

%d bloggers like this: