Éibhear/Gibiris

Electronic voting in 2007

The following was a "Letter to the Editor" I sent to Village Magazine back in August of 2007. I forgot about it. I'm printing the unedited version that I sent here.

A chara,

I am responding to the article that was sent to me by your FeedBlitz system regarding the report on the study into why so many young people don't vote, and the conclusion it came to that there would be more votes if voting by SMS or over the web was facilitated. I am an IT professional and currently work in the financial services industry designing and developing IT systems. I have been interested in electronic voting for the last 3 or 4 years. I am not currently active with any organisation that campaigns either for or against electronic voting systems.

Electronic voting has received a lot of bad press recently. Practically all of it is justified. The following problems present themselves when considering electronic voting:

Trust:

Can the voter trust the organisation that registers the vote? Can the voter trust the organisation that transports the vote to the vote-counting arrangement? Can the voter trust the manner in which the vote is counted?

In the current Irish system, the voter knows that the vote is being registered correctly, because the only artifact that contains the vote is the ballot paper, and this is in the absolute control of the voter between the time it is handed to the voter (blank) and the time it is placed into the ballot box. After that, the ballot box is in full public view, in order to deter any interference with its contents while polling continues. Once polling is completed, the Garda Síochána is tasked with protecting the integrity of the ballot boxes from the time of the closure of the polling station until the time of the opening of the count centre. Responsible individuals also accompany the ballot box on its journey, ensuring no one organisation or individual has exclusive access to it. The ballots are then counted in public, and, especially during the first count, this process is scrutinised by members of the public. In all these three situations, there is either no great burden of trust because the process is very open and transparent, or where trust is required, it's tempered by the balance of access while the ballots are in transit.

In a voting system that involves either SMS texting or a web-based interaction, the voter has no proof that the vote is being recorded correctly. Only the companies that manage each segment of the network that the vote travels along will be able to track the progress of the vote. No one else. Neither the voter, the returning officer nor any other organ of the state, including An Garda Síochána. The most that can be done is for interested parties to rely on the word of the companies managing the networks. This means that it would be close to impossible to confirm that a vote has not been interfered with in some sophisicated, electronic, manner while in transit. As the counting would be performed electronically, there would be no guarantee that the votes are being counted correctly. For example, a public examination of the source code involved is still not a guarantee that the source code examined formed the source code of the implementation of the counting software being used. One cannot trust an electronic voting system on the simple grounds that the public must trust the subsystems it uses and those who manage those subsystems. History has been quite explicit in teaching us that those who say "trust us" when it comes to hidden processes cannot be, y'know, trusted.

Secrecy:

There is a fallacy in the pro-electronic voting argument that goes like this: as we can buy goods on web sites like EBay, conduct banking transactions online, perform tax returns through the web, surely we shouldn't worry about electronic voting systems. This argument fails because it does not consider one two-word phrase: audit trail. For all electronic transactions to be performed with confidence (as opposed to confidentially), the person performing it needs to know that it can be tracked if a problem arises. To facilitate this, all electronic transactions carry with them some data: the person's name, the account number, the date and time of the transaction, etc. – not just the transaction amount. However, in a secret voting system, only the cast vote should form the ballot. A voting system that associates any form of voter-identifying information with a cast vote is not secret. If the voter is guaranteed that his or her vote will not be identifiable once it has been committed to the system, it follows, therefore, that if the voter feels the vote has not been counted, there is no way for the voter to prove what that vote was. An example would be if a candidate received no votes in such an electronic system, the candidate would not be able to prove that she or he voted for her- or himself, even. That example is extreme. Consider, however, the exit polls from the most recent general election. While they surprised many before the first tallies came in, they were on the money. In itself, this is no surprise as exit polls tend to get it right. Imagine a scenario where the exit poll in a consituency gets it massively wrong? If the votes are not associated with individual voters, then there's no way to investigate something that is clearly fishy. However, we can't associate the votes with the voters, because that would remove the secrecy of the ballot and give rise to intimidation, vote buying, etc. All responsible and complete analyses of electronic voting systems support the position that unless the vote is recorded on paper at the same time as it is recorded electronically, and that paper record is retained by the voting system (and not the voter!) as a backup and auditable confirmation of the result of the electronic recording and counting, then either the secrecy or the reliable of the ballots must be compromised.

Reliability:

Despite the efforts of all involved, it is extremely difficult to develop completely robust, resilient and bug-free electronic systems. It is even more difficult when there is the most unusual requirement that the transaction be recorded without recording any information about the person performing the transaction, while at the same time protecting against intended or inadvertent corruption of the data in the transaction. Bugs are everywhere, and EBay, online backing systems and the Revenue Online System all implement standard techniques to prevent against this: duplication, replication, online and offline backups, double-entry accounting, etc. One expects that they conduct regular checks to make sure everything is running smoothly, and when problems are identified, take steps to correct them. Imaging a bank that knows one of it customer's current accounts has the wrong balance, but they have no way, ever, to know what account it is or who the customer is. This doesn't happen, because all the details regarding a transaction are recorded multiple times, in order to allow a bank to recover from such a situation. As outlined above, this type of reliability cannot be applied to an electronic voting system because we cannot record with the vote who cast it. This brings us back to the concurrent paper record of the vote. Reliability is catered for in this situation by regular audits of the electronic voting system by counting some of the paper records as well. The decision of what votes to audit would not be taken because there is a perceived discrepancy, but because the process requires it. This would be similar to unannounced "kit inspections" in a military context. Of course, if there is a concern with the result of the count, this would trigger a count of the paper version of the vote.

Electronic voting can work. However, the authors of this report chose to ignore the serious problems that arise with electronic voting. The closest they come to covering them is to shrug them off with the suggestion that it can be done if it's done properly. The Department of the Environment thought it was being done properly, and the seriously constrained Commission on Electronic Voting demonstrated that it was not. Doing it properly requires listening to those who have conducted serious research on the matter, and this tends not to happen.

It's worth wondering if the respondents to the survey were asked if they would have voted on a weekend day. It does not seem correct to assume that electronic voting would be the only solution to the problem of low voter turn out. Citing Australia, for example, is disingenuous, as it is compulsory to vote down there. Failure to do so will result in prosecution.

There seems to be a growing propaganda campaign that denies or understates the problems of electronic voting and seeks to present those with valid concerns as ludites or hacks. It is necessary for journalists in particular to consider the problems openly and to ask the proper questions. It is my experience that when journalists ask the proper questions, proponents don't want to answer and skeptics have all the relevant information.

Éibhear Ó hAnluain

You can't add any comments to this post. If there is something you would like to bring to my attention, please use the contact mechanisms below to get in touch.

About

I, Éibhear Ó hAnluain, live in Dublin, and my background is as a Software Engineer. I currently work as an Enterprise Architect in a global organisation. Visit this page to learn about all the ways you can contact me.

It is the policy of this site to ignore or rebuff all requests to host "content" from others. All third-party work presented on this site is done so to facilitate my commentary on the work, and is posted under terms that are under my exclusive control.

Creative Commons Licence
All pages and blog posts in this site are copyright © Éibhear Ó hAnluain, and are licensed under a Creative Commons Attribution-ShareAlike 4.0 International License

All exceptions to the above notice will be noted where applicable.

Powered by o-blog.