Electronic Voting in Ireland - A Threat to Democracy

ShaneHogan

Shane Hogan here, co-author of the Labour Party report on Electronic Voting . Some of the press coverage of our report has been misleading, so I'd like to set the record straight here.

The Labour Party is in favour of Electronic Voting in principle. However, the manner in which Electronic Voting has been implement for the Dept of Environment in Ireland raises many serious concerns about the integrity of the voting process.

The current system does not provide a Voter Verifiable Audit Trail (VVAT), which is becoming the generally accepted international minimum standard for eVoting systems. VVAT provides the voter with 100% confidence that their individual vote is recorded and counted accurately, by providing a paper-based backup to the electronic system.

Other major concerns with the include;

- A marked absence of control procedures regarding setup of the count centre PCs, security of the count centre PCs, restricting access to the count centre PCs, transferring data between count centre PCs by floppy disk, verification of software version on count centre PCs
- No integrated end-to-end testing - each of the individual system components have been tested in isolation, but no integrated testing has been carried out. The testing of the IES counting software was done with the randomisation feature disabled, which does not reflect how the system will operate in the live environment.

Our report also highlighted the fact that there is serious doubt about the promised cost savings. The saving in personnel required to count votes will be outweighed by the additional personal required to operate the voting machines, as each of the 7,000 voting machines requires a dedicated operator to enable the machine for each voter/vote.

And finally, we recommended that the eVoting system in Ireland is put under control of an independent body, such as the Standards in Public Offices Commission, instead of being under the control of the Dept of Environment, which is effectively an arm of Government.

Minister Cullen's response to our report was most disappointing. He attempted to divert attention from these key issues by questioning the credentials of the authors. [See section 7.3 of the report if you wish to satisfy yourself regarding the credentials of the authors]. His reference to problems with voters taking receipts out of the voting booth is curious, given that we never made any such recommendation. It appears that the Minister does not understand the basic principle of Voter Verifiable Audit Trail.

I would encourage any interested voter from any party to read our report - I'll be happy to respond to any queries or issues in this forum.

Regards - Shane

vinnyfitz

Hi Shane
Thanks for opening up this debate here.
I look forward to reading the report - but to start off I wonder whether it is possible to adapt the system which the DoE has bought so as to institute a VVAT or would we have to invest in a completely new system to solve this problem?

V

Sparks

Having read that report, a number of points. (I take it you can accept that most people posting here have formal qualifications in computer science or engineering and thus have professional opinions on this specific topic?)

VVAT
The VVAT is an excellent idea, but formal procedures for it's handling must be implemented - after all, the VVAT at the end of the day is nothing more than a printed list of votes without any possibility of authenticating the list independently if it was to be left unsecured for any length of time.

Formal methods and public trust
Formal Methods have nothing to do with a piece of software's trustworthiness. It's perfectly possible to analyse a piece of software wth formal methods without ever divulging the results. You could use formal methods (at least in theory) to verify a corrupt voting system without inconsistency. The problem would lie in the fact that Formal Methods as a branch of analysis is about two to three decades behind application software for complete analysis of a system. Chunks of a system can be formally analysed using Formal Methods, but not any whole system of any real complexity - and the evoting system itself comprises several complex systems. It's far beyond the abilities of the mathematics in the Formal Methods research domain to fully analyse, at least for the foreseeable future. As such, even talking about them is not much more than a display of technical ignorance of the e-voting system.

What is required is not Formal Methods, but an Open Source policy, as was done in Austrailia's e-voting system, as described in this article recently. Source code, electronic schematics, documentation, bug reports and software updates must be made publicly available, and the public need to be able to point out errors and submit proposed corrections to fix those errors. The infrastructure for doing this in a secure fashion is already available and tested, as shown by large software projects like Mozilla, Postgresql, Linux and many others.

This will necessitate the abandonment of proprietary systems alltogether unless the companies involved agree to the open source policy. This would be no bad thing - the idea that elections should be entrusted to Microsoft Access is mindbogglingly incompetent given it's reputation for being inappropriate for critical use.

Datasets and independent analysis
Not only must the final results be made available, so must the authenticated raw data from the polling booths so that results can be independently verified by any citizen with the desire to do so.

None of the Above
There is no "None of the Above" option available in the currently planned electronic ballot. Votes cannot be spoilt accidentally, but also cannot be spoilt in protest. Given that there were in excess of 18,000 spoilt votes nationwide in the last general election, this suggests that the right to refuse to elect any of the proposed list of candidates is something that's necessary to protect what few democratic rights we have.
The None of the Above proposal should be accepted and implemented.

daveirl

This post has been deleted.

ShaneHogan

Originally posted by vinnyfitz
I wonder whether it is possible to adapt the system which the DoE has bought so as to institute a VVAT or would we have to invest in a completely new system to solve this problem?

V

I don't have a definitive answer to this, but I believe it is unlikely. The current Nedap voting machines do have an integrated printer, but the printer is intended for low-grade usage, i.e. printing off a summary at the start/end of the day. I doubt if this printer would be up to the task of printing a paper vote for each/every voter. Also, for VVAT, it is essential the the paper vote is visible for inspection by the voter, but cannot be handled by the voter - it should feed directly into a ballot box. It is unlikely that the it would meet these requirements unless the voting machine/printer was specifically designed to operate in this manner.

Hi Sparks

Originally posted by Sparks
The VVAT is an excellent idea, but formal procedures for it's handling must be implemented - after all, the VVAT at the end of the day is nothing more than a printed list of votes without any possibility of authenticating the list independently if it was to be left unsecured for any length of time.

Agreed - the procedures for the current manual system would apply here.

Originally posted by Sparks
analyse a piece of software wth formal methods without ever divulging the results. You could use formal methods (at least in theory) to verify a corrupt voting system without inconsistency. The problem would lie in the fact that Formal Methods as a branch of analysis is about two to three decades behind application software for complete analysis of a system. Chunks of a system can be formally analysed using Formal Methods, but not any whole system of any real complexity - and the evoting system itself comprises several complex systems. It's far beyond the abilities of the mathematics in the Formal Methods research domain to fully analyse, at least for the foreseeable future.

I don't claim expertise in Formal Methods - my partner in the report worked in this area. The requirement for Formal Methods was based on the importance of improved reliability and reduced bug count. This area was well covered in Margaret McGaley's research report from earlier this year.

Originally posted by Sparks
As such, even talking about them is not much more than a display of technical ignorance of the e-voting system.

Charming! But given the basic lack of knowledge on our current eVoting system demonstrated by your next two points, people in glasshouses...

Originally posted by Sparks
Not only must the final results be made available, so must the authenticated raw data from the polling booths so that results can be independently verified by any citizen with the desire to do so.

The raw data from the trial usage of the eVoting system is available - see Dublin County Returning Officer Electronic Voting Count Results

Originally posted by Sparks
There is no "None of the Above" option available in the currently planned electronic ballot. Votes cannot be spoilt accidentally, but also cannot be spoilt in protest.

Not correct. If you apply for a vote, get your name crossed off the register, get a 'ticket' to vote and then you fail/refuse to hit the 'cast vote' button on the voting machine, your vote is treated as 'uncompleted'. Each voting machine operator much account for every uncompleted vote, and at the end of the day, the returning officer (or is it the presiding officer) much reconcile the number of votes applied for (i.e. the number of tickets issued), the number of votes completed and the number of votes not completed. These uncompleted votes are counted & tracked on special forms. The Dept did not release numbers of these uncompleted votes from the trial elections, but these would roughtly equate to the spoiled votes under the old system.

Thanks - Shane

Zaphod

I have an observation on this matter of a paper trail/verification of the electronic vote. In the current non-electronic system, a person casts their ballot, which is jumbled up with all the other ballots when it comes to the count. This ensures total anonymity.

If there is a printer attached to an electronic voting machine, which prints a record of each vote cast onto a spool of paper, then there is a chronological record of how votes are cast. So, for example, in a referendum if a journalist sits outside the polling station when it opens and notes that Mr A goes in first to vote at 8.10am, Mr B goes in at 8.22am and Mrs C goes in a 8.35am, when it comes to the vote count he can look at the voting sheet and see that the first vote was Tá (Mr A), the second Níl (Mr and the third Tá (Mrs C). The principal of anonymity breaks down.

I guess one possible solution would be to use specially modified printers, which would print the record onto individual 'voting tickets' which would be jumbled up just like the current ballots.

star gazer

It's all well and good saying that evoting is good or bad for our democracy, but until we find out exactly what system is being employed and the Minister sets out his reasoning behind it and that of his experts, we can only speculate. We had a system employed in Nice 2 and the last general election but my understanding was that it was to be upgraded.
Trust in the political process is important, trust in the voting system must be absolute. For the Minister to do all the work behind closed doors for so long after he has decided the system is the one he wants is intloerable.
Let's see it.

Sparks

Originally posted by ShaneHogan
I don't claim expertise in Formal Methods - my partner in the report worked in this area. The requirement for Formal Methods was based on the importance of improved reliability and reduced bug count. This area was well covered in Margaret McGaley's research report from earlier this year.

I've read that report already and I'm not convinced of her conclusions regarding formal methods. I'd recommend you contact the Formal Methods Research Group in TCD's Computer Science Department for a more definitive statement (my specific area is robotics, not formal methods, I have only informal contact with that research group), but even McGaley's cited source (Halloway) states that Formal Methods isn't yet usable on large complex systems.

On top of which, it couldn't be used on the current system since the current system is based on Microsoft Access, a closed-source database which hasn't been analysed using such methods, is arguably too large to do so, and whose source could not be made public in any event.

McGaley does make the point several times though, that the source code for the system must be publicly available, which is the foundation of the Open Source way of doing things and which is how the Austrailian system works.

Charming!

Perhaps not, but accurate nonetheless. You asked for opinions, that's my professional one as a computer engineer, and also my first impression after listening to the discussion on this topic on the RTE 1300 news last week. If you'd wanted tact, I'm not the man to ask for, as many here will tell you, but I have the saving grace of being honest.

But given the basic lack of knowledge on our current eVoting system demonstrated by your next two points, people in glasshouses...
The raw data from the trial usage of the eVoting system is available - see Dublin County Returning Officer Electronic Voting Count Results

That I didn't know of, but I've never seen the site before.
Which would seem to point to another requirement for an evoting system - that there be a central, well-known point to access all data and news relating to it. Is that site pointed to from anywhere in the oasis.gov.ie site or anywhere more public?

Not correct.
<snip>
These uncompleted votes are counted & tracked on special forms. The Dept did not release numbers of these uncompleted votes from the trial elections, but these would roughtly equate to the spoiled votes under the old system.

They may be analagous but they're not the same. In fact, they're even less noticable if they don't even release the number of uncompleted votes.

And you still have no valid "none of the above" option. If the objective is to decrease voter apathy and increase turnout, providing the option would appear to be a positive step.

ShaneHogan

Originally posted by Zaphod
I guess one possible solution would be to use specially modified printers, which would print the record onto individual 'voting tickets' which would be jumbled up just like the current ballots.

Hi Zaphod.
It is a basic principle of VVAT that individual voting tickets would be printed and fed into a ballot box. This was certainly what we intended with the recommendation "Once the voter confirms that the receipt is correct, the printed ‘receipt’ automatically goes into a ballot box & the vote is also stored electronically". I realise that we did not explicitly emphasise that each receipt would be individual - we will certainly clarify this point in any future publications.

You highlight the key challenge in relation to eVoting systems - how to provide a Voter Verifiable Audit Trail while protecting the anonymity of the voter.

Hi Star Gazer

Originally posted by star gazer
It's all well and good saying that evoting is good or bad for our democracy, but until we find out exactly what system is being employed and the Minister sets out his reasoning behind it and that of his experts, we can only speculate. We had a system employed in Nice 2 and the last general election but my understanding was that it was to be upgraded.
Trust in the political process is important, trust in the voting system must be absolute. For the Minister to do all the work behind closed doors for so long after he has decided the system is the one he wants is intloerable.
Let's see it.

Most of the details of the system to be used are in the public domain. The only details not in the public domain AFAIK are the source code and the contractual details. There are no significant upgrades planned to the system that was used in the trials during the last general election (3 constituencies) and Nice II (7 constituencies). See our report for more details.

Hi Sparks

Originally posted by Sparks
Perhaps not, but accurate nonetheless. You asked for opinions, that's my professional one as a computer engineer, and also my first impression after listening to the discussion on this topic on the RTE 1300 news last week. If you'd wanted tact, I'm not the man to ask for, as many here will tell you, but I have the saving grace of being honest.

I'm still not convinced that your claim that even talking about formal methods was "not much more than a display of technical ignorance of the e-voting system" was either accurate or honest. Having reviewed piles of harcopy & softcopy documentation from the Dept of Environment, reviewed international papers on eVoting and prepared/reviewed/finalised this substantial report, I would humbly suggest that I am not ignorant of the eVoting system. I would humbly suggest that I know more about the eVoting system than anyone who has not devoted considerable time & effort to this specific implementation.

Now if you had chosen to cast aspersions on my experience of Formal Methods, you might have a reasonable arguement. But you didn't - you accused me of "not much more than a display of technical ignorance of the e-voting system". This is not accurate.

Originally posted by Sparks
They may be analagous but they're not the same. In fact, they're even less noticable if they don't even release the number of uncompleted votes.

True. The Dept really should be reporting these non-completed votes. I guess it might be possible to get this information under an FOI request if the Dept don't start publishing it.

Sparks

Originally posted by ShaneHogan
I'm still not convinced that your claim that even talking about formal methods was "not much more than a display of technical ignorance of the e-voting system" was either accurate or honest.

I don't see why not - formal methods have nothing to contribute to the problem of developing a trustworthy e-voting system. In fact in their present state of development, I do not believe they could even be used on the system as a whole.

Having reviewed piles of harcopy & softcopy documentation from the Dept of Environment, reviewed international papers on eVoting and prepared/reviewed/finalised this substantial report, I would humbly suggest that I am not ignorant of the eVoting system. I would humbly suggest that I know more about the eVoting system than anyone who has not devoted considerable time & effort to this specific implementation.
Now if you had chosen to cast aspersions on my experience of Formal Methods, you might have a reasonable arguement. But you didn't - you accused me of "not much more than a display of technical ignorance of the e-voting system". This is not accurate.

So what you're saying is that after devoting considerable time and effort to studying the e-voting system, you're of the opinion that Formal Methods, a system which I've heard dismissed for practical use today by the very researchers working on them, is the key requirement?

Let me ask you a question then - why put such emphasis on Formal Methods, which do not in any event ensure trustworthiness (they're only designed to ensure that a program does what it's specification says it should, regardless of that specification), while not putting as much emphasis on Open Source development methods and the need for the system to be totally in the Public Domain?

True. The Dept really should be reporting these non-completed votes. I guess it might be possible to get this information under an FOI request if the Dept don't start publishing it.

For only twenty euros...
Not the optimal solution.
The "None of the Above" option being made a valid choice would be a far better solution.

Sparks

Originally posted by ShaneHogan
Most of the details of the system to be used are in the public domain. The only details not in the public domain AFAIK are the source code and the contractual details. There are no significant upgrades planned to the system that was used in the trials during the last general election (3 constituencies) and Nice II (7 constituencies). See our report for more details.

Shane, if the source code and electronic schematics of the system are not available in the public domain, you might as well chuck the rest of the details out the window, because you have absolutely no way of verifying that the system they describe is the system you're using. The disparity between what the documentation says the system is or does, and what it is or does in reality, is so well-known to be invariably large that it's the source of more jokes than I've had hot dinners.

As to upgrades, the process of applying hardware or software upgrades must be formalised - as shown in the US in the last week, patching of software hours before an election has happened in the past, and unless the procedure for doing so is formalised and the software itself checked on the day in a formal manner, you can discard all available information on the system completely, as unverifiable and useless.

ShaneHogan

Originally posted by Sparks
I don't see why not - formal methods have nothing to contribute to the problem of developing a trustworthy e-voting system. In fact in their present state of development, I do not believe they could even be used on the system as a whole.

This is your opinion - not one which I agree with, or which most of the other researchers who have reviewed this topic seriously agree with, but it is your opinion, and I respect it as such. I see no reason how you came to a conclusion that an opposing opinion shows 'not much more than technical ignorance of the eVoting system'. At best, you could accuse me of not being an expert on formal methods, but your accusation of showing 'not much more than ignorance on the eVoting system' just doesn't stand up.

Originally posted by Sparks
So what you're saying is that after devoting considerable time and effort to studying the e-voting system, you're of the opinion that Formal Methods, a system which I've heard dismissed for practical use today by the very researchers working on them, is the key requirement?

It is one of several recommendations in the report. The fact that it is a system which you have heard dismissed during your 'informal contact' with that research group does not strike me as having substantial weight in this debate. If I tell you that my mate told me that the system is really great, would you accept that? Of course not.

Originally posted by Sparks
Let me ask you a question then - why put such emphasis on Formal Methods, which do not in any event ensure trustworthiness (they're only designed to ensure that a program does what it's specification says it should, regardless of that specification), while not putting as much emphasis on Open Source development methods and the need for the system to be totally in the Public Domain?

Our report doesn't put 'such emphasis' on formal methods. It is one of several recommendations. We recognised that it is too late for it to be applied to the current system and recommended that it be used for any future system. We also recommended that the code be placed in the public domain.

Originally posted by Sparks

For only twenty euros...
Not the optimal solution.

Agreed.

Originally posted by Sparks

Shane, if the source code and electronic schematics of the system are not available in the public domain, you might as well chuck the rest of the details out the window, because you have absolutely no way of verifying that the system they describe is the system you're using. The disparity between what the documentation says the system is or does, and what it is or does in reality, is so well-known to be invariably large that it's the source of more jokes than I've had hot dinners.

See section 5.2 of our report for recommendation to release the source code into the public domain.

Originally posted by Sparks

As to upgrades, the process of applying hardware or software upgrades must be formalised - as shown in the US in the last week, patching of software hours before an election has happened in the past, and unless the procedure for doing so is formalised and the software itself checked on the day in a formal manner, you can discard all available information on the system completely, as unverifiable and useless.

See section 5.4 of our report for recomendations to avoid tampering with software.

Sparks

Originally posted by ShaneHogan
This is your opinion - not one which I agree with, or which most of the other researchers who have reviewed this topic seriously agree with, but it is your opinion, and I respect it as such. I see no reason how you came to a conclusion that an opposing opinion shows 'not much more than technical ignorance of the eVoting system'. At best, you could accuse me of not being an expert on formal methods, but your accusation of showing 'not much more than ignorance on the eVoting system' just doesn't stand up.

Then let me explain it more basicly.
The e-voting system's requirements list does include that it should be error-free, but more importantly than that, it should be uncorrupted - that is, it should implement a fair election rather than implementing a corrupt (in the political sense) system. That this can happen is well-known, as you can verify, having studied the Diebold cases in the US, where many voting systems were accessed during the voting period in ways proscribed by federal law, in some cases undetectably.

Fufilling this requirement that the system should implement a fair election cannot be achieved through the use of formal methods. At all. Ever. They are completely the wrong tool for the job. It would be like trying to use algebra to hammer a nail into a piece of wood.

What is needed to fufill that requirement is an Open Source approach, as shown by the Austrailian efforts in this area that I linked to above.
Formal Methods are just (in effect) irrelevant. They wouldn't catch source code bugs, they wouldn't prevent subversion of the system by a programmer, and they cannot ensure that the public can trust the system. To recommend them as critical to an eVoting system implies (in the best case scenario) that you don't understand the technology in an eVoting system - which is a critical failing for someone proposing policy in this area. And since the only difference between our normal voting system and an evoting system is the technology, it follows that saying that Formal Methods are critical to such a system implies insufficent understanding of that system.
Clearer?

The fact that it is a system which you have heard dismissed during your 'informal contact' with that research group does not strike me as having substantial weight in this debate. If I tell you that my mate told me that the system is really great, would you accept that? Of course not.

It depends. If it's just "your mate down the pub", you'd be correct. If, on the other hand, it was a senior lecturer in the computer science department who happened to be the head of the formal methods research group, and he was responding to a direct question on whether or not formal methods were currently usable for complex systems, I might give his opinion more weight.
Wouldn't you?
Remember, "informal contact" in an academic environment like the one I work in doesn't mean a chat over a pint, it just means that it wasn't published in a journal or a conference proceedings.

Our report doesn't put 'such emphasis' on formal methods.

Actually it does. It says they're critical, in section 5.2

See section 5.2 of our report for recommendation to release the source code into the public domain.

5.2 confuses formal methods and availibility of source code in an overly vague manner, and it doesn't handle the availability issue properly.

5.2 No Formal Methods used in development of software
Formal methods refers to a set of mathematically-based techniques that are used in the development of safety-critical software, such as airplane navigation systems or life-support machines.

In the analysis actually, not during the development process. Formal methods don't come into the development process until after the design is complete. They're effectively a testing procedure.

These techniques make it possible to mathematically prove, or at least significantly raise, the accuracy of the software. However, software development using formal methods can be slower than traditional methods and the skills required are typically more expensive. While DoEHLG have not made the actual source code publicly available, it is clear from the technologies used and the source code review that formal methods were not used in development of either the IES system or the Nedap voting machines.

As I've said before, if you don't see the source code, the other documents are worthless because there's no way to verify them. Which means that you can't make any judgements from those documents. What makes it clear that formal methods weren't used is the fact that a central part of the Nedap system is Microsoft Access - and the source code for that database system isn't publicly available and therefore couldn't be analysed with formal methods, even if the complexity of the system didn't preclude that avenue, which it does.

Therefore (unless these systems are absolutely unique in the world of software development), we know that there must be bugs in the software it is just a question of how many bugs and how significant they are.

Formal methods don't pick up bugs. They pick up design errors. One level of abstraction up. Also, you've omitted that a major source of bugs would be the external software (Microsoft Access in this case as well as any other external software used) which can be changed without warning and which cannot be verified without source code which is not publicly available.
That's just not acceptable for a system designed to elect the government.

Recommendation: We recommend that DoEHLG releases the source code and test results of both the IES system and the Nedap software to public review, in order to independently assess the quality and reliability of the software.

This is important, but phrased like this, quickly becomes worthless. The code must not just be released to public domain, it must be maintained in the public domain, in the same manner as other Open Source projects. Otherwise, the system in the box on election day could be totally different from the previously released system. For example, I can get access to every release of the web browser Mozilla, going back to it's first version, and I can get the changelogs explaining the differences between each and every version, who made the changes and why. I can get access to every known bug, as and when the developers get it, and if I come up with a solution to that bug, there's a method to submit my solution in a secure manner (so as to prevent me writing a fix to a bug that actually subverts the system). Large software packages have been done in this way for years now and the techniques and tools required are not only well-developed, but are publicly available.

The release of the source code in the public domain will ensure that the system in analysed by a broad range of experts in Ireland and beyond. This would also help to reassure the public that there is nothing to hide . These independent assessments will allow for public confidence in the software used to drive the electronic voting system. We also recommend that formal methods be used considered a key requirement for any future electronic voting systems for Ireland.

Formal Methods can't be a key requirement, they're not industry-ready yet. And Open Source methods must be a key requirement, but you should be specifying that seperately and not mixing the two together like that, because they're very different things.

See section 5.4 of our report for recomendations to avoid tampering with software.

5.4 doesn't go far enough. It is possible in hardware to ensure that the voting system is placed on a read-only medium so that changes cannot be written to it. Failing a hardware approach, unix-based operating systems can designate specific disks to be read-only in software. There needs to be a designated period before the election where changes cannot be made to the software to allow independent observers time to analyse the software, and such independent observers should be contracted to do so.

ShaneHogan

Thanks for your valuable feedback. I'll give it all the attention it deserves.

Sparks

As a seperate question Shane, did you consult with the Electronic Frontier Foundation or attempt to contact the original members of the Irish branch, Electronic Frontier Ireland?
This area is precisely in their area of expertise.

oscarBravo

...transferring data between count centre PCs by floppy disk...

...a central part of the Nedap system is Microsoft Access...

Jesus wept! What sort of friggin' amateurs are we dealing with here??

dathi1

Sparks..forgive my ignorence..the platform used on Nice 2, was it Microsoft based?

Thanks for the education.

Sparks

Originally posted by dathi1
]Sparks..forgive my ignorence..the platform used on Nice 2, was it Microsoft based?
Thanks for the education.

As far as I know, Nedap's system was used for the Nice 2 referendum, which is based on Microsoft Access.
As are some of the US evoting schemes, which have been found to have .... interestingly complex tally schemes. As in :
Votes come in in Access database A, get copied to database B and then tallied into database C.
Meaning that you could play about undetected with database B, because it's never displayed anywhere to the operators.

Paddyo

This certainly is an education.

Microsoft Access????? Great for amateur users to setup their address books using wizards - until the database becomes corrupt.

I have been a programmer for nearly 20 years now. You can have all of your Formal Methods, Structured Metohdoligies, Flow charts etc - these al reflect what should be done.

What is actually done, and what is most important is written in the code. The only way to absolutely verify code is to see it.

Im with sparks on this one.

Just one point sparks..
You say that we would need to be able to see the MS Access code. Would we also need to see the OS Code, and all of the other code on chips in the computer. I know Im being a bit of a prat - but isnt it the logical conclusion?


MS Access - I still cant believe it. A text file would be safer!

Paddyo

mycroft

http://www.truthout.org/docs_03/110403E.shtml

---

Diebolt using copyright laws to supress free speech.

Diebolt are the builders of the the US's electronic voting system

Sparks

Originally posted by Paddyo
Just one point sparks..
You say that we would need to be able to see the MS Access code. Would we also need to see the OS Code, and all of the other code on chips in the computer. I know Im being a bit of a prat - but isnt it the logical conclusion?

Right down to the schematics of the polling booth machines Paddyo. Which is why those details are all available for the Austrailian system, and the OS they use is linux.

Paddyo

Right down to the schematics of the polling booth machines Paddyo. Which is why those details are all available for the Austrailian system, and the OS they use is linux.

And I presume the workstations or other equipment which would be used in transferring and tallying the results.


Paddyo

vinnyfitz

More support for your VVAT argument Shane here. I must say its hard to argue against this standard.

But isn't this an appalling vista for Minister Cullen? 35 million Euro down the drain or can the machines be adapted?

scojones

As long as it's an opensource e-voting system then i'm all for it!

ShaneHogan

Originally posted by vinnyfitz
More support for your VVAT argument Shane here. I must say its hard to argue against this standard.

But isn't this an appalling vista for Minister Cullen? 35 million Euro down the drain or can the machines be adapted?

Hi Vinny - Sorry for delay in responding. That UK site give the best explanation of VVAT that I've seen so far.

In relation to your appaling vista question, I guess that it why the minister & the dept are scrambling so hard to protect the reputation of their chosen system. I think it is unlikely that the current Nedap machines could be retro-fitted for VVAT - see discussion earlier in this thread, though I can't be 100% sure on this point.

Just to get back to the 'formal methods' issue, I was contacted by staff of Praxis Critical Systems, a UK business who make their living from the development of high-integrity systems. Interestingly enough, they are not planning on closing down their business and walking away, based on the news from Sparks/TCD that "Formal Methods as a branch of analysis is about two to three decades behind application software for complete analysis of a system". Their view is that Formal Methods would certainly be quite appropriate for specification and/or development of an eVoting system. Feel free to read their report here. Taking their view and the research report from McGaley/Gibson (both with strong academic backgrounds in formal methods), I'm comfortable that our recommendation re. formal methods stands up.

But formal methods isn't the core issue - neither is open source, or security procedures. The core issue is VVAT - Voter Verifiable Audit Trail - once we have VVAT, there is no incentive for anyone to attempt to break the system, as the paper-based backup is the primary source in case of any dispute or inquiry. Keep an eye on the Irish eVoting mailing list as more & more worrying news regarding the Irish system leaks out.

Regards - Shane

star gazer

It would seem common sense that there would be a paper trail.

dahamsta

I sent this out to two Cork techie mailing lists this morning. Obviously the details are localised but you get the picture. Please do get in touch with any of the TD's or senators mentioned if they represent you in some way.

adam

From: adam beecher
Sent: 24 November 2003 11:26
To: CorkWAN Discuss
Subject: FW: [E-voting] Oireachtas joint committee examining voting
machines on2003/11/25

Sorry for the off-topic post. An Oireachtas committee will meet tomorrow at 2:30 to discuss electronic voting with Martin Cullen, the Minister responsible. As people that understand technology and communications, electronic voting in Ireland should concern you, particularly the closed and questionable system our government wants to implement.

At least two Cork TD's - Billy Kelleher (FF, Cork North Central) and Bernard Allen (FG, Cork North Central) - will be in attendance, so if you have a moment please contact them to express your concerns -- you'll find contact details on the websites below. Fax would be preferable at this late stage.

http://www.finegael.ie/Representatives/representatives.cfm?id=12&TD_Key=18
http://www.bernardallentd.com/

http://www.fiannafail.ie/td_cv_67.htm
http://www.billykelleher.com/

Here are a few suggested questions you can ask:

- Will the Minister personally vouchsafe that testing carried out on the Nedap/Powervote system was 100% independent?
- Will the Minister agree to a code review and security audit by members of the Irish developer community?
- Will the Minister halt all spending on voting machines until this review has taken place?
- Does the Minister agree that a Voter Verifiable Audit Trail (VVAT) should be manadatory for electronic voting systems?

Please bear in mind when considering this subject that if electronic voting goes unchallenged, the government will almost certainly roll voting machines out across the country in next year's local elections. Your money will buy these machines -- do you know enough about them to trust them with your vote?

The members of the committee are listed below. If there are any other relevant TD's or senators, please contact them also. You can read more about electronic voting in Ireland and/or browse mailing list archives discussing the subject here:

http://evoting.cs.may.ie/

Thanks,
adam


>

---

Original Message

---

> From: e-voting-bounces@lists.stdlib.net
> [mailto:e-voting-bounces@lists.stdlib.net]On Behalf Of Adrian Colley
> Sent: 24 November 2003 10:25
> To: Irish Citizens for Trustworthy Evoting
> Subject: [E-voting] Oireachtas joint committee examining voting machines
> on2003/11/25
>
>
> According to <URL:http://www.gov.ie/oireachtas/sch-week.htm>, the
> Oireachtas Joint Committee on Environment and Local Government will
> meet tomorrow at 2.30pm with these agenda:
> > Discussion with Minister for the Environment and Local Government on
> > electronic voting and Presentation by Department Officials on the
> > Nedap Voting System.
>
> The members of the joint committee are:
> Bernard Allen TD (FG) John Cregan TD (FF)
> Ciarán Cuffe TD (Green) Eamon Gilmore TD (Lab)
> Noel Grealish TD (PD) Seán Haughey TD (FF)
> Jackie Healy-Rae TD Billy Kelleher TD (FF)
> Padraic McCormack TD (FG) John Moloney TD (FF)
> Seán Power TD (FF) Sen. James Bannon (FG)
> Sen. Cyprian Brady (FF) Sen. Michael Brennan (FF)
> Sen. Michael McCarthy (Lab)
>
> This might be a good opportunity to enlighten some souls. Perhaps
> someone could contact this lot on behalf of our little group,
> providing some appropriate questions for the Minister and his
> minions? Margaret? Catherine? One of my local TDs is in the list,
> so I'll be talking to him before the Committee meetings; it mightn't
> be a bad idea if others here do something similar.
>
> --Adrian.
>
> --
> GPG 0x43D3AD19 17D2 CA6E A18E 1177 A361 C14C 29DB BA4B 43D3 AD19
> http://user-aecolley.jini.org/
>

Victor

I just found this, dated 30 October 2002.

http://www.environ.ie/

Media Centre > Press Releases > Minister Cullen, roll out of electronic voting for 2004 Local Government and European Parliament Elections 30 October2002

Minister Cullen announces roll out of electronic voting
for 2004 Local Government and European Parliament Elections

Mr Martin Cullen TD, Minister for the Environment and Local Government has today (30th October) announced that electronic voting will feature in all electoral areas for the 2004 Local Government and European Parliament Elections. Minister Cullen made the announcement following today's cabinet meeting.

Announcing the extension, Minister Cullen stated that the success of electronic voting was clear to see at the recent Nice Referendum. 7 constituencies used electronic voting at the referendum with results for each announced within three hours of the close of polls.

Minister Cullen said: "Following the successful introduction of the electronic system at the May 2002 general election and at the Nice referendum, I am delighted to announce that the Government have decided to use electronic voting and counting throughout the country in the European and Local elections in 2004.

"Reaction to the electronic experience has been overwhelmingly positive both from voters and from electoral administrators and I will be pressing ahead immediately with the planning for the 2004 polls. I am convinced that electronic voting will make it easier for the public to vote, will improve the efficiency of electoral administration, will provide earlier results, will support a positive image of the country in its use of information technology and will help to modernise the democratic process in all its facets.

"Presentation of results, marrying the new electronic system with the more traditional methods of the past is now the priority. I believe every count centre should have a large screen where the results of each count are shown. This enables everyone involved – candidates, voters and the media to see results clearly, who is elected, who is eliminated, where transfers are going and the trends emerging", he said.

A publicity campaign will be run nationwide in the lead up to the 2004 elections to inform voters on the operation of the voting machine.

The nation-wide rollout will involve the use of almost 7,000 voting machines in 267 local electoral areas.

Electronic voting was first used at the general election in May of this year in the constituencies of Meath, Dublin North and Dublin West and was rolled out in a further four constituencies (Dublin Mid West, Dublin South West, Dublin South and Dun Laoghaire) at the recent referendum.

ENDS

vinnyfitz

Well Yes I think that this is this plan which Shane is writing about.

The way I see it though, its a bit late to be complaining about NEDAP Powervote now. Those 7000 machines must have been ordered (and paid for?) months ago. The main question, which no one seems to be able to answer, is whether they can be adapted swiftly to provide a VVAT and, if not, whether the level of risk in using them without a trail is so great that we should either mothball them untill someone designs and manufactures the printers and glass tubes and so we can all see the paper copies of our votes before they go down the enclosed chute into the sealed, reserve, ballot boxes?

Is it worth delaying the commissioning of these machines for a couple of years? Are people arguing that Council or MEP elections are so rigourously contested that we are at risk of IT fraud? That will probably be the debate in the Dáil committee tomorrow.

star gazer

Given that Cullen seemed only to come up with the advantage of speed for electronic voting and that it will look good doesn't signify a sufficient case for taking the risk (however small) of changing the voting and vote-counting system in the country.

Sparks

Well, this topic was just brought up on Questions and Answers, though quite unsatisfactorially in my opinion. No-one pointed out that noone knows how these machines work, or whether or not they're secure. Rather poor, that. At least someone pointed out the storage cost (50,000 euro per year per constituency!).