19 Jul 2016
Switching voting systems is a thorny issue. In this case, there is no need to rush. Ensuring the integrity of an individual’s vote must be paramount.
" Ensuring the integrity of an individual’s vote must be paramount."
Paul Edwards, Manager, operations strategy, ANZ
We must have robust answers to the following five questions before Australia moves into the age of electronic voting.
What assurance will the general public have the programming code (source code) inside the system works as intended? How does the public know the code is bug-free (at least to a level to accurately count votes)? Even worse, what if there were pieces of code in the system which will flip votes?
This becomes a huge issue when elections go down to the wire.
Suppose accidental but malicious code in the system changed 1 per cent of the votes for Party A to Party B?
A full 10 days after the Australian election, the Coalition had 76 seats, the ALP 71, with at the time three others making up the rest of the house. If code were inserted to benefit the Coalition by just 1 per cent of the votes, the Coalition‘s figure would have grown to 79 and the ALP’s shrunk to 68.
Conversely, code flipping 1 per cent in favour of the ALP would have given 74 to the Coalition, and 73 to Labor.
These are three very different results for the country, in two cases driven not by the will of the voters but by code inserted (deliberately or otherwise) but an anonymous programmer.
In the United States, manufacturers of electronic voting machines have refused to release the code for independent scrutiny, citing intellectual property concerns.
Of course, even if source code were to be released for scrutiny, how would the public know it is the version of the code being used in voting machines?
To address the first concern, rather than releasing source code for scrutiny, voting machines might dispense a receipt, similar to an ATM. This would allow the voter to check his or her vote on the screen with the receipt issued.
Suppose the receipt shows a different vote to the one on the screen. What process will there be to allow the voter to recast his or her vote? What assurance will there be the previous vote will be eliminated from the system?
Even if the receipt correlated with the vote on screen, these may not actually be the votes lodged (the screen and receipt may display a vote for Party A, whilst adding a vote for Party B).
Manual counting of the receipts would still be required in order to provide a level of assurance about the election outcome – a situation no faster or legitimate than what we have today.
Even if counting of receipts were only required in electorates with tight results, there would still be a considerable delay.
Any voting system needs to be able to withstand all kinds of issues. For example, what happens if there is a power outage, and the electronic voting machines cannot be used?
Similarly, what if the voting machine crashes part way through a vote? Does the vote count? How are these votes accounted for by the system? What is the process to ensure a person’s vote is entered into the system once, not twice or not at all?
Depending on how the system is designed, votes could be tallied on the machine to be sent in one hit to the server, or sent to a central server. If the votes are stored on the machine, what happens if the machine suffers a failure (such as a virus attack or a crash) and there is data loss? How will all the votes submitted on that machine to that point be counted?
If votes are sent real time to a central server, a malicious party could launch a ‘man-in-the-middle’ attack – inserting themselves between the voting machine and the server, and flipping votes as described above.
Or a malicious party might launch a distributed-denial-of-service attack on the central server – bombarding the central server with so many bogus requests genuine votes cannot get through.
The above scenarios are not exhaustive when it comes to considering how to make such a system resilient. Remember, under the current system the greatest technical calamity is broken lead in the pencil (remedy: a sharpener or replacement pencil).
Presumably a voter will need to log into the machine with something like a username and password (objects such as a username/password pair used for authentication are called credentials. Other examples include thumbprints and internet banking tokens).
Using no credentials opens the entire system up to a single person lodging multiple votes.
How will these credentials be assigned to individuals? How will they be stored? Will the system automatically disable a person’s credentials once they have voted – in which case what happens if person A’s credentials are stolen and person B uses them to lodge a vote?
Most importantly, how can any voter be confident their credentials will not be linked with their vote, and then be able to be accessed at some point in the future?
Even assuming all of the above security concerns are resolved satisfactorily, one last integrity question stands out: how will the system deal with a non-valid vote?
Clearly, an electronic voting system should alert people who have made a mistake that their vote is not valid, and offer them a chance to correct the error. However, if the system will only accept valid votes, what about people who actively wish to vote informally?
Simply leaving the incomplete vote on the screen provides an opportunity for the following voter to have two votes. The system could offer an informal option on the screen – but would that be seen as official endorsement of the practice of informal voting?
Whatever your opinion on informal voting, it is part of the electoral system (over 5 per cent of the votes at the 2016 election) and a certain percentage of the population actively choose to vote informally. How will the system respect the integrity of these votes?
Electronic voting promises fast and accurate tallying of votes. Without appropriate resolution to the five questions posed above, this promise comes at a cost – and may not actually deliver on the promise of speed.
Paul Edwards is manager, operations strategy at ANZ
(PLEASE NOTE: not Paul G Edwards, GM corporate communications at ANZ and Publisher of BlueNotes)
The views and opinions expressed in this communication are those of the author and may not necessarily state or reflect those of ANZ.
19 Jul 2016
08 Aug 2016
04 Aug 2016