Australian Electoral Commission Refuses To Allow Researchers To Check E-Voting Software
from the after-all,-it's-only-democracy-that's-at-stake dept
The fact that Techdirt has been writing about e-voting problems for sixteen years, and that the very first post on the topic had the headline “E-voting is Not Safe,” gives an indication of what a troubled area this is. Despite the evidence that stringent controls are still needed to avoid the risk of electoral fraud, some people seem naively to assume that e-voting is now a mature and safe technology that can be deployed without further thought.
In Australia, for example, e-voting is being used for the elections to the country’s Senate, but the Australian Electoral Commission (AEC) has refused to release the relevant software, despite a Senate motion and a freedom of information request. Being able to examine the code is a fundamental requirement, since there is no way of knowing what “black box” e-voting systems are doing with the votes that are entered. A story by the Australian Associated Press (AAP) explains why AEC is resisting:
The Australian Electoral Commission referred AAP to a decision by the Administrative Appeals Tribunal [AAT] in December 2015.
In that decision, relating to a freedom of information request, the tribunal found the release of the source code for the software known as Easycount would have the potential to diminish its commercial value.
“The tribunal is satisfied that the Easycount source code is a trade secret and is exempt from disclosure,” the AAT said.
Placing trade secrets above the public interest is a curious choice, to say the least. It seems particularly questionable given Australia’s recent experience with e-voting software problems:
When the ACT Electoral Commission released its counting code, researchers at Australian National University found three bugs which were subsequently fixed before an election.
When the Victorian Electoral Commission made its electronic voting protocol available to researchers in 2010, University of Melbourne researchers identified a security weakness which was then rectified before the state election.
As Techdirt readers well know, bugs are commonplace, and there’s no particular shame if some are found in a complex piece of software. But refusing to allow independent researchers to look for those bugs so that they can be fixed is inexcusable when the integrity of the democratic selection process is at stake.
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Filed Under: australia, e-voting, source code
Comments on “Australian Electoral Commission Refuses To Allow Researchers To Check E-Voting Software”
Lying to congress
Isn’t it illegal to lie to congress? Sounds like an impeachable offense for some anti-privacy congress critters.
Oh wait…. It’s probably not illegal for a congressman to lie to congress, just peasants.
Re: Lying to congress
There is no way any politician would ever make a rule against lying. There already are rules for perjury, but you can easily tell they only leverage those against pissants, never against colleagues because they are deathly afraid of it coming back and biting them ALL in the asses.
Re: Lying to congress
Australia has a parliament, not a congress, so they have Critters of Parliament, not Congress Critters.
They have a House of Representatives and a Senate modeled on the US chambers, but it’s otherwise a parliamentary model.
Re: Re: Lying to congress
No we have a House of Reps (lower house) modeled on the UK model, the Senate is modeled on the US Senate (using the UK House of Lords model as well) of elected State based representatives only.
Requirements for an e-Voting system
* Open Source
* Only ‘key’ parameters (eg, pure data nonexecutable) are secret
* Electronically records your vote, to a local and off site archive
* Each ballot recorded in the electronic archive is digitally signed by the machine with a sequence number, and includes the hash of the previous ballot. (and the previous ballot included the hash of its previous ballot, etc. thus ensuring a verifiable chain of ballots.)
* Prints a paper record into a local archive. (eg, a machine that has a bin gradually accumulating a stack of small ballot cards which would be similar to a paper ballot)
* The voter can see an on-screen image of the ‘paper’ ballot after they have confirmed and submitted their vote — that way the voter knows that their vote was correctly ‘recorded’.
Both electronic and human recounts are possible because of both the electronic and paper archive of ballots.
The paper and electronic archives can be audited to ensure the two archives exactly match. The local electronic and remote electronic archive can also be audited to ensure they match.
The paper ballots that are archived in a card stack would be designed to be human readable, but also easily machine readable such that the machine can read the same thing that a human reads (eg, not a barcode along with a printed indication of what the vote is which is two separate things.)
Now, even if the e-Voting software were closed source, it would be possible to ensure that its behavior is correct. None of this business where the only record is an electronic record — and it is a correct and true record of what voters voted! I swear! No, really. I promise! Trust me.
Voting results could be instantly available online so that people in Western longitudes know that it is pointless for them to go out and vote.
Re: Requirements for an e-Voting system
i am a techno guy, but the ONLY reason we have computer based systems, is they can be controlledby TPTB…
2. um, not mentioned in the article, but, um, OUR computer based voting systems are ALL ‘proprietary’ / black box software us mere voters are NOT allowed to inspect…
3. those few times white hat hackers have accessed voting machine code, it was a gigantic steaming pile of spaghetti programming…
there are only two reasons for spaghetti code, massive incompetence over time, OR, they are purposefully obfuscating the code to hide eee-vil machinations…
Re: Requirements for an e-Voting system
Seeing an image isn’t enough, because it would be trivial to re-use images. The voter should see the actual ballot and drop it in a box themselves.
You’d have to be careful with the “chain of ballot hashes” idea. It seems like something that could damage ballot secrecy, if done wrong. (And even if you can verify a ballot is recorded correctly, that doesn’t guarantee it’s secret, which could still be a problem with closed-source systems.)
“The tribunal is satisfied that the Easycount source code is a trade secret and is exempt from disclosure,”
If that’s the case then the correct response by the government *should* be “alright, we shall not continue to use your voting machines then.”
But really it should have been in the contract to begin with that the source code being turned over was a non-negotiable condition for being in the business of providing voting machines.
Re: Re:
Exactly. If your “trade” is democracy itself, you do not get to keep secrets. Otherwise the democracy ends up broken, and that’s a higher priority.
Re: Re: Re:
This can NEVER be said enough.
There is no place for the concept of Secrecy in a Democracy. You guys are now beginning to see why a true democracy will never work. Actually there are 2 reasons.
#1. Agents of the government seek secrecy to gird themselves from scrutiny, be for good or evil.
#2. People will only remain prosperous until they find they can vote themselves largess.
America is currently suffering directly under both of these principals. We are have destroyed our democracy, we are something else right now.
Re: Re: Re:
You don’t need that because the companies will be storing the votes in a secret open DB/FTP/whatever for anyone interested enough to find. And when someone reports on that fact, they can expect to be charged with election tampering to start with and have their lives ruined.
Re: Re: Re: Re:
That is only for the people dumb enough to tell everyone their names along with their discovery.
Proprietary code in election software is equivalent to secret law.
Re: Re:
But we, at least in the US, already have secret laws, secret interpretations of laws, secret courts, secret court orders, secret warrants, secret arrests, secret evidence not available to the defense, secret convictions, secret prisons, and secret torture.
So why should we be worried about secret democratic election software?
With so much secret surveillance, can you be sure your vote is a secret?
The NSA
Is Your Friend!
Trust The NSA!
I'm still amazed
I’m still amazed that anyone — particularly election boards — thinks that these machines are an acceptable idea. They are, in fact, the exact opposite of that. They would be dangerous even if the source code was available for audit.
Re: I'm still amazed
Agree… I work in IT, the number of exploits possible against any system is just flat out mind boggling.
It is worth the time and effort to just count everything by hand or at least to have that option be possible in the case of a close race.
You can do a lot of remote attacks against a machine, and since the same people I do not trust are in charge of the election machines… yea… not going to even venture a guess on how corrupt the system is.
The ENTIRE process must absolutely be performed in the public eye were even the average joe should catch MOST attempts at deception.
Re: I'm still amazed
My secret e-Voting company would like to invite your election board for a two week all expenses paid informational seminar at one of the convention centers at Disney World. We will include free Disney Visa gift cards for your convenience on or off the resort property. We can show you two point four million reasons why you should choose our voting systems.
(yes, Disney World in Orlando has very nice facilities for large business events like a company Christmas party. Such facilities would work equally well to be rented for the kind of event described above.)
Re: E-voting would still be useful.
E-voting systems should be completely open source. A secret system screams of built-in fraud.
But we shouldn’t discard the notion of E-voting entirely. A robust and secure E-voting system would allow for participatory democracies at least in small organizations such as communities, if not large ones such as nations.
A robust, secure universal system would also allow for quicker popular counts, eliminating a lot of the problems we have with mechanical voting (such as gerrymandering and the Electoral college.)
And it’s not like mechanical and hand-counted voting systems are particularly secure or free from fraud.
Re: Re: E-voting would still be useful.
I’m not saying that the concept of electronic voting is unworkable. I’m saying that all of the current approaches to it are, open-sourced or not. They all share a showstopper problem out of the gate: there’s no way to verify votes or do meaningful recounts.
It can't be open and verifiable
The proletariat is lucky to be allowed to cast their vote – at least the voting card isn’t pre-punched with their decision on it.
We are nearly at the point of “Thank you for coming. Your vote has already been recorded”.
If the machines were transparent, then the voters actual chosen candidate would win the election.
We can’t have that.
/sarc, /snark, /hope
Re: It can't be open and verifiable
“We are nearly at the point of “Thank you for coming. Your vote has already been recorded”.”
Remember the company who claimed their facial scanning software could detect your criminal characteristics?
“An Israeli start-up says it can take one look at a person’s face and realize character traits that are undetectable to the human eye. Faception said it’s already signed a contract with a homeland security agency to help identify terrorists. The company said its technology also can be used to identify everything from great poker players to extroverts, pedophiles, geniuses and white collar-criminals.”
https://www.techdirt.com/articles/20160524/12210734538/israeli-company-claims-software-can-look-your-face-determine-if-youre-terrorist-murderer.shtml
So, perhaps in Version 2 there will be no need to leave home to vote. It will already be done for you, and no way to opt out (unless you’re deemed an undesirable and then there will be No Vote For You!)
Why Electronic Voting is a BAD Idea - Computerphile
E Voting will never work.
https://www.youtube.com/watch?v=w3_0x6oaDmI
Re: Why Electronic Voting is a BAD Idea - Computerphile
E-voting already works very well thank you.
It just depends on what your definition of ‘work’ is.
Re: Why Electronic Voting is a BAD Idea - Computerphile
Tom seems a bright lad, but I’m not sure how well-read he is on proposals to incorporate blockchain-ing into potential e-voting schemes.
Re: Re: Why Electronic Voting is a BAD Idea - Computerphile
Wow, you turned a rational objection into condescension for no reason.
Maxim
The are two types of software, that in which bugs have been identified and that in which bugs will be identified.
I’m not certain the goodness/badness of e-voting. Until I know specifics, I can’t offer a reasoned opinion. However, I am certain a model that relies on closed source, proprietary, trade secrets is now and ever will be unacceptable, if we hope to maintain even the merest illusion of democracy.
This software, if allowed to exist at all, is ONLY appropriately handled under Open Source principles and maintained in publicly readable repositories. The more eyes, the better.
Solutions
I always thought that voting machines would work better if they were really just there to help us mark the ballot. Have the machine show what you are voting for, and have it mark an actual ballot for the item. Then the voter takes the completed paper ballot, verifies it, and puts it in the ballot box – where it can be counted.
The bonus… because the ballots are machine marked, you could use a second system to actually count them efficiently.
The bonus bonus: when there is a recount required, you actually have paper ballots. The machines have nothing to do with it, you have the actual paper of record to prove it.
Re: Solutions
I agree with most of that. You need a paper trail, you need a way for the voter to confirm the vote is actually cast as you wish. Theres probably some verification steps needed to ensure that there’s no tampering with the paper and allow for damaged/lost/illegible printouts, but as long as those first 2 requirements are met I’m ok with electronic voting. A black box with no independent paper trail? Not a chance
Re: Re: Solutions
Except for the case where there is a discrepancy and the DA refuses to perform a manual count of the paper ballots.
Re: Re: Re: Solutions
Same flaw as a completely physical system though. So, not perfect but as good as the system that’s worked for a long time
But that's not how it works
“The tribunal is satisfied that the Easycount source code is a trade secret and is exempt from disclosure,” the AAT said.
But it will be disclosed. It probably already has — just not to researchers who are trying to study the integrity of the election process.
This code has value. Therefore there are buyers. Therefore there are sellers. And the price tag is high enough that both buyers and sellers will accept the risk in order to complete a transaction; see, as the definitive piece on this: Stealing an Election by Bruce Schneier, which is now 12 years old and even more relevant now than it was in 2004.
Given the realities of elections, power, money, and politics, it’s just about certain that this code is in the hands of people other than the vendor. So calling it a “secret” is at best unjustified optimism and at worst a cynical coverup. I think the question is not “if”, but “who”, and “when”, and “why”.
Re: But that's not how it works
What do you mean? That the vendor has provided the code to a bad guy that paid to see it?
Those who can't vote by ballot...
…electronic or otherwise, eventually vote by AK-47.
The whole point of the vote in the first place is that sooner or later, Cerseis and Joffreys end up dominating the throne.
Though the lords of the US might have figured out that the illusion of enfranchisement is enough to keep the people in line. So long as they think they can vote the bastards out, they won’t turn violent.
We’ll see how that plays out.
Those who vote decide nothing, those who count the votes decide everything
Yours Truly,
Stalin
to investigate would reveal the fix they have already decided on.
They might actually have a fair election otherwise instead of the criminal they bribed and blackmailed to enslave the citizenry
No E-Voting for Australian Senate
That statement appears to be incorrect. Last I checked the Australian Electoral Commission wasn’t using e-voting for the Senate. So I went to the AEC’s website to double-check and sure enough Australians are still using BALLOT PAPERS at the July 2 election, not electronic voting. You can find the details at:
http://www.aec.gov.au/Voting/How_to_Vote/Voting_Senate.htm
This PDF:
http://www.aec.gov.au/election/files/e2016-official-guide.pdf
has more details.
Having verified that I then went back to check that 9news.com.au article which was quoted in the article. And guess what? It refers to “vote-COUNTING software”.
As distinct from e-VOTING software.
That is to say, presumably the paper ballots will be scanned in to a computer system and the software used to tally the vote. The reason the AEC is using such vote counting software is because the Australian Senate uses proportional representation and counting its vote by hand can usually take weeks. Senate ballot-papers also tend to be huge, especially in the New South Wales and Victoria. Last election there were only six vacancies to be filled in each state., In NSW that led to a ballot-paper about a yard long with over 100 candidates. This time there has been a double dissolution so here will be twice as many vacancies. Twelve in each state to be precise. Which means in NSW and Victoria the number of candidates could well hit two hundred!
Now having said all that, none of this is to say that the article’s point isn’t still valid. However, having paper ballots does mean that if any shenanigans do occur it is more likely to be subtle rather than blatant; and if there are any doubts the paper ballots are around to do a recount.
Re: No E-Voting for Australian Senate
I will add to this that the computers used are isolated from any network to prevent hacking and that the count is done multiple times with different people entering data, with results compared.
Re: No E-Voting for Australian Senate
Exactly!!
Glyn could you please update this story to specify that Australia currently (and will not for foreseeable future) have any E-Voting whatsoever for State nor Federal elections.
All elections use PAPER BALLOTS, which are marked using pencil/pen using NUMBERS in the order of preference wanted by individual voters.
They are then manually counted using the “mark 1 human eyeball” except for the SENATE in certain circumstances only in which the paper ballots are fed into a scanning mechanism and then the numerals (1 to 6) for the top part of the Ballot paper only. IF the bottom part of the ballot, which can have up to 100+ numbers marked (no less than 12) than that is STILL manually tallied.
Oh and it is absolutely mandatory for every Australian citizen 18yrs of age or over to vote, unlike the UK or USA. In fact it’s an offense not to vote.
Re: Re: No E-Voting for Australian Senate
NQR. It is an offence to not get your name marked off the electoral role. There are a set of subsidiary offences to do with marking the ballot incorrectly, but these are unenforceable as we have secret ballots and it is an offence to view anyone else’s ballot. So, one does not have to cast a vote merely submit a ballot paper. If the ballot paper is unmarked or incorrectly marked, it is counted as invalid.
Re: Re: Re: No E-Voting for Australian Senate
An unmarked ballot paper is an abstention from all the votes.
Are you saying they don’t want you to abstain from voting regarding those issues in which you don’t care or don’t have enough information to make a correct decision?
Incidentally in the USSR voting was mandatory too. Not that it really helped much.
Re: Re: Re:2 No E-Voting for Australian Senate
What it simply means is that the only legally valid requirement is that your name is crossed off the electoral role for that specific election. What you do afterwards is completely up to you. Those who want will simply mark the papers in such a way that the ballots will be discarded in terms of the actual count. They can’t be touched as it is a secret ballot.
There is always a significant number of people who do this. What will get you into trouble (as in a fine) is not getting your name crossed off. There are also many who do their ballot work in the couple of weeks before hand at their convenience and just ignore the day in question.
Unlike other places, we don’t have a first past the post and the votes are distributed according to the ballot selection.
This year it is strange because there seems to be very little difference between the majors. The majority of MHR’s and Senators seem to be in favour of making this nation a police state and running the nation into the ground.
The Motoring Enthusiasts Party’s former senator has come across as a man who wants to actually do his job but a lot of them just toe the party line and are useless.
With regards the majors, one side wants one lot of unsavoury characters to have power, while the other major parties want other groups of unsavoury characters to have power. It is looking like we (as a nation) are between a rock and a hard place, in other words, we’re screwed. Damned if we do and damned if we don’t.
But the decision is still ahead and we’ll need to see what happens in the next couple of weeks. One never knows, we might have a disaster that takes out many of the current candidates and leaves room for a brand new batch.
We have been using proprietary voting software for a long time
Once a year, Australia stops and most adults cast their vote for the winner in a race called the Melbourne Cup. Many people cast multiple votes, and everyone backs their vote with money. Ok, we call this betting on a horse, but it’s essentially the same thing.
Most of this is done electronically these days. It is handled by an entity called the TAB. And, sure, you can cheat on a horse race but it is much harder to cheat the TAB.
Elections would seem to be lot easier to handle, after all they are only a two-horse race.
Of course they aren’t going to allow researchers access to the software. Can you imagine what would happen if they discovered discrepancies that could allow fraud to occur on behalf of the ruling elite? “Trust us, there’s nothing here. Move on. Move on.”
Secrets
Trade secrets are fine within private industry. The public voting process should be transparent (for obvious reasons) and thus software containing SECRETS of any kind should be forbidden from use. (again for obvious reasons)