3 July 2003 Edition
The problem with Electronic Voting
Electronic voting, or e-voting as it is sometimes called, may be here to stay, but in the following article, EAMONN NOLAN of Sinn Féin's Ard Chomhairle, points up the flaws in the system chosen and explains why Sinn Féin wants it changed.
Electing by E-vote
Electronic voting was introduced at the last general election in three constituencies in the South. It is intended that all constituencies will have electronic voting for the next local elections and for every election thereafter.
But the system that will be used has not been debated by the public, despite the major effect it will have on elections and the potential dangers that it throws up.
Background
E-voting, has a number of possible forms. Voting can be done by phone, by email, from a television screen, or by kiosk. The main problem with internet or phone voting is that privacy is almost impossible to ensure. Internet and phone communications are vulnerable to interception with relative ease. It is for that reason that most governments who look at electronic voting look at standalone kiosk-type systems. This is the form the 26-County government has introduced.
However, last year I contacted the Franchise office in relation to the electronic voting and requested the source code being used by the system. They said this was the property of a Dutch company called NEDAP. It now turns out, due to research undertaken at NUI Maynooth, that the government themselves do not have the source code.
Maynooth Report
Margaret McGaley and Paul Gibson of the Computer Science Department in Maynooth recently published a study called Electronic Voting: A Safety Critical System, which analysed the system being used by the government and proposed an alternative. The result of their analysis was that "while an adequate electronic voting system is possible, NEDAP/Powervote is not it."
Their analysis has two main focuses. First the technical issues around how Powervote was developed and second how the finished system meets the needs of democracy. They are critical in both areas.
As anyone involved in elections will tell you, the PR-STV system used in the South is a complicated process, especially when dealing with eliminations, surpluses and transfers. The Powervote system codes the rules for dealing with these issues into the programme. They basically have a database that holds the information and a set of computer programs that manipulate the database, based on the rules.
Developing computer programs that correctly meet requirements on all occasions is a very difficult task. Computer disasters are many and well documented. One of the means of ensuring that programmes are as bug-free as possible is to take a very formal approach to development. In many safety critical systems (eg. power stations, transport systems, hospitals etc) a method called Formal Design is used. This uses mathematics to formally 'prove' each part of the code. A Formal Design method was not used, it seems, by NEDAP. So is the programme bug free? Probably not. What would be the result of any bug? It is impossible to say. Could it affect the outcome of an election? We don't know.
The fact that the source code is not available to computer professionals means its actions cannot be verified. For example, a computer can be made to display one thing, record another, and print a third. Also, if the code is only available to a private company, the report raises the possibility of sabotage from within the company by placing a programmer in its ranks.
So the technical difficulties are :
Formal Design techniques were not used in what should be a Safety Critical System.
Citizens do not have access to how the rules governing elections are being implemented.
A paper trail is not produced to allow an independent recount to take place.
In terms of how elections should be run, the Maynooth report outlines a number of criteria that should be met. These are;
1. The system must allow only eligible voters to vote, and they must be allowed to vote only once.
2. The voter's identity and their vote must be kept separate.
3. The voter's intent must be recorded correctly.
4. The vote cannot be altered or removed once it has been recorded.
5. Tabulation must be accurate and independently reproducible.
6. The public must be confident that all the above requirements are met.
They conclude that the first two requirements are met by using the polling booth and then by using random numbers to identify the vote cast.
Flaws in the system
In March 2002, the department asked a company called Zerflow to carry out a security assessment of the powervote system. Zerflow pointed out some serious flaws in the system. The Minister says the Zerflow concerns "were considered", but no changes were made to the system.
As we have no access to the source code, we don't know if criteria 3 to 5 mentioned above are met properly. In fact, we can quite confidently predict that there are some bugs in the software, as there are in any major piece of software. We can't predict how they might manifest themselves.
Trusting the tally
In terms of public confidence, there doesn't appear to be an issue. No one has raised it politically to any great extent. However, given that trust has become an issue since the election, should we trust the government to carry out elections fairly?
Dr Rebecca Mercuri has been an expert in the field of electronic voting for many years. She outlined an approach, in a paper entitled A Better Ballot Box, which allows electronic voting, ensures a paper trail for recounting if required and enhances user confidence.
She says "the Mercuri Method requires that the voting system print a paper ballot containing the selections made on the computer.
"This ballot is then examined for correctness by the voter through a glass or screen, and deposited mechanically into a ballot box, eliminating the chance of accidental removal from the premises. If, for some reason, the paper does not match the intended choices on the computer, a poll worker can be shown the problem, the ballot can be voided, and another opportunity to vote provided."
Recommendations
Sinn Féin is not against electronic voting, but there are a number of recommendations that need to be followed to ensure the system works as it should. While we do support using a kiosk type system, we would call for the Formal Methods of development to be used.
In addition to this:
All source codes and design should be publicly available for inspection by citizens and especially by Computer Science experts.
The Mercuri method should be applied, ie. a paper copy of the vote, verified by the voter, is held for the purpose of independent recount.
There needs to be a change in the 1992 Electoral Act to allow counting of all votes when distributing a surplus, instead of counting only the last sub-parcel.
There should be a provision which allows people to exercise their franchise without endorsing the candidates, through a 'none of the above' or spoiling option.
Electing by E-vote
Electronic voting was introduced at the last general election in three constituencies in the South. It is intended that all constituencies will have electronic voting for the next local elections and for every election thereafter.
But the system that will be used has not been debated by the public, despite the major effect it will have on elections and the potential dangers that it throws up.
Background
E-voting, has a number of possible forms. Voting can be done by phone, by email, from a television screen, or by kiosk. The main problem with internet or phone voting is that privacy is almost impossible to ensure. Internet and phone communications are vulnerable to interception with relative ease. It is for that reason that most governments who look at electronic voting look at standalone kiosk-type systems. This is the form the 26-County government has introduced.
However, last year I contacted the Franchise office in relation to the electronic voting and requested the source code being used by the system. They said this was the property of a Dutch company called NEDAP. It now turns out, due to research undertaken at NUI Maynooth, that the government themselves do not have the source code.
Maynooth Report
Margaret McGaley and Paul Gibson of the Computer Science Department in Maynooth recently published a study called Electronic Voting: A Safety Critical System, which analysed the system being used by the government and proposed an alternative. The result of their analysis was that "while an adequate electronic voting system is possible, NEDAP/Powervote is not it."
Their analysis has two main focuses. First the technical issues around how Powervote was developed and second how the finished system meets the needs of democracy. They are critical in both areas.
As anyone involved in elections will tell you, the PR-STV system used in the South is a complicated process, especially when dealing with eliminations, surpluses and transfers. The Powervote system codes the rules for dealing with these issues into the programme. They basically have a database that holds the information and a set of computer programs that manipulate the database, based on the rules.
Developing computer programs that correctly meet requirements on all occasions is a very difficult task. Computer disasters are many and well documented. One of the means of ensuring that programmes are as bug-free as possible is to take a very formal approach to development. In many safety critical systems (eg. power stations, transport systems, hospitals etc) a method called Formal Design is used. This uses mathematics to formally 'prove' each part of the code. A Formal Design method was not used, it seems, by NEDAP. So is the programme bug free? Probably not. What would be the result of any bug? It is impossible to say. Could it affect the outcome of an election? We don't know.
The fact that the source code is not available to computer professionals means its actions cannot be verified. For example, a computer can be made to display one thing, record another, and print a third. Also, if the code is only available to a private company, the report raises the possibility of sabotage from within the company by placing a programmer in its ranks.
So the technical difficulties are :
Formal Design techniques were not used in what should be a Safety Critical System.
Citizens do not have access to how the rules governing elections are being implemented.
A paper trail is not produced to allow an independent recount to take place.
In terms of how elections should be run, the Maynooth report outlines a number of criteria that should be met. These are;
1. The system must allow only eligible voters to vote, and they must be allowed to vote only once.
2. The voter's identity and their vote must be kept separate.
3. The voter's intent must be recorded correctly.
4. The vote cannot be altered or removed once it has been recorded.
5. Tabulation must be accurate and independently reproducible.
6. The public must be confident that all the above requirements are met.
They conclude that the first two requirements are met by using the polling booth and then by using random numbers to identify the vote cast.
Flaws in the system
In March 2002, the department asked a company called Zerflow to carry out a security assessment of the powervote system. Zerflow pointed out some serious flaws in the system. The Minister says the Zerflow concerns "were considered", but no changes were made to the system.
As we have no access to the source code, we don't know if criteria 3 to 5 mentioned above are met properly. In fact, we can quite confidently predict that there are some bugs in the software, as there are in any major piece of software. We can't predict how they might manifest themselves.
Trusting the tally
In terms of public confidence, there doesn't appear to be an issue. No one has raised it politically to any great extent. However, given that trust has become an issue since the election, should we trust the government to carry out elections fairly?
Dr Rebecca Mercuri has been an expert in the field of electronic voting for many years. She outlined an approach, in a paper entitled A Better Ballot Box, which allows electronic voting, ensures a paper trail for recounting if required and enhances user confidence.
She says "the Mercuri Method requires that the voting system print a paper ballot containing the selections made on the computer.
"This ballot is then examined for correctness by the voter through a glass or screen, and deposited mechanically into a ballot box, eliminating the chance of accidental removal from the premises. If, for some reason, the paper does not match the intended choices on the computer, a poll worker can be shown the problem, the ballot can be voided, and another opportunity to vote provided."
Recommendations
Sinn Féin is not against electronic voting, but there are a number of recommendations that need to be followed to ensure the system works as it should. While we do support using a kiosk type system, we would call for the Formal Methods of development to be used.
In addition to this:
All source codes and design should be publicly available for inspection by citizens and especially by Computer Science experts.
The Mercuri method should be applied, ie. a paper copy of the vote, verified by the voter, is held for the purpose of independent recount.
There needs to be a change in the 1992 Electoral Act to allow counting of all votes when distributing a surplus, instead of counting only the last sub-parcel.
There should be a provision which allows people to exercise their franchise without endorsing the candidates, through a 'none of the above' or spoiling option.