E-voting

However, that doesn't mean that we should advocate the use of cryptographic hash functions for basic sanity checking. In the case of the memory cards in the diebold systems for example, an attacker who is swapping out memory cards and causing a reset is just going to have a different sane state validated by a more expensive algorithm.

Statement by Ms Margaret McGaley at the Joint Committee on Environment and Local Government on 10 December 2003



Electronic Voting in Ireland



Good afternoon. Before I begin, I would like to thank the Chairman and the Committee for inviting me to give a presentation today. I hope that I can address some of the issues of concern to the Committee with regard to electronic voting.



My name is Margaret McGaley. I am currently working on a PhD on electronic voting at NUI Maynooth - which is where I got my BSc in computer science. My final year project was about electronic voting, and my conclusions let me to set up Irish Citizens for Trustworthy Evoting (evoting is just short for electronic voting, and refers to any voting system which has electronic parts).



Irish Citizens for Trustworthy Evoting - or ICTE - was set up to convince the Irish Government that evoting in its proposed form poses a genuine threat to our democracy. Many of our members are computer professionals. We are not Luddites, afraid of technology, but concerned citizens who recognise the very real dangers associated with electronic voting. We are not saying that evoting is unworkable, but we are calling for some minimum safety precautions.



There are several issues I will not have time to cover in my presentation, but I will be happy to answer any questions you have on such issues as the use of formal methods and opening the source code to public scrutiny. These are important issues, but they are secondary to what I will be talking about today.



Let me first explain the dangers we see in the proposed system, and then I will describe the solution we propose.



Nedap/Powervote claim that their software is 100% accurate. If their software had been developed to the highest standard possible - for example to the standard generally attained by NASA in their software projects - it would still be expected to contain a minimum of 60 faults. NASA, who's employees' lives depend on the reliability of their software, are among the world's most accurate software developers. Now if NASA (who are rocket scientists) could expect 60 faults in a software project the size of the Nedap/Powervote system, then how many more faults could we expect to find in a system developed by a company who are nowhere near that calibre? My own experience has taught me that no software developer worth their salt would ever dream of claiming 100% accuracy.



The main problem is that if the proposed system was not behaving as it should - either by accident or because of malicious tampering - effects on vote outcomes might never be detected. This is because results cannot be independently verified.



As a voter, what proof do I have that the vote displayed on the voting machine is the one stored? What proof do I have that it is counted correctly? I have to trust that the hardware and software are storing and counting my vote correctly. That means that instead of trusting Gardaí and election officials as we do in the all-paper system, we must trust individual software engineers.



Furthermore, any succesful tampering with the all-paper system affects one constituency, once, whereas a successful attack on the electronic system could affect every constituency every time the system was used.



The simple solution is to provide tangible evidence to each voter that their vote is recorded correctly. I propose that any evoting system used in Ireland must provide a Voter Verified Audit Trail; that is, every voter sees their vote on a piece of paper go into a ballot box. These papers would be the official record of votes cast and would act as a safeguard. Errors in the electronic system would then be detectable, because results could be independently verified. Recounts would be done using the paper ballots. A system of spot-checks would also be introduced whereby constituencies would be chosen at random and the paper ballots counted to confirm the electronic results. The handout I have provided contains a clear explanation of voter verified audit trails. (The handout included http://www.free-project.org/resolution/explain.html)



Now I'd like to dispel 3 myths about voter verified audit trails.



Myth 1) They endanger the secrecy of the ballot.



Untrue! There would be no connection between vote and voter - just as there is no connection between vote and voter in the all-paper system.



Myth 2) Recounts based on the paper ballots would give different results to the electronic count.



Untrue! Just as recounts in the all-paper system make the same transfers as were made in the original count, recounts based on the paper ballots would make the same transfers as were made in the electronic count.



Myth 3) The proposed system provides an adequate audit trail.



The so-called "audit trail" provided by the Nedap/Powervote system serves no useful purpose, and certainly does not mitigate the need for a voter verified audit trail. It is a print-out of the votes records, but provides no assurance that the votes recorded are the votes cast.



The Nedap/Powervote sysetm is not safe as it is. If we must have electronic voting in this country, then we have two main options - replace Nedap/Powervote with a cheaper system using scanners, or alter the Nedap/Powervote system to include a voter verified audit trail.



The first of these options - a new system based on scanning - would look very similar to the all-paper system from the voter's point of view. At the count centre, votes would be scanned and counted electronically.



The second option - altering the Nedap/Powervote system - would involve the addition of a printer to each voting machine. When the vote was cast, the ballot paper would be printed. The voter confirms that the printed ballot is correct, and it is deposited into a normal ballot box. With the addition of printed ballots, at least the potential exists to find any faults in the electronic system.



The minister has repeatedly stated that he is satisfied that the Nedap/Powervote system can be trusted. Well, when it comes to the electoral process, it is not enough that the minister or the government or even the opposition be satisfied. Above all, the electorate must trust the electoral process. As it stands the proposed system is no worthy of their trust.



Thank you for your time.





Glossary of Terms



Computer Science -

the branch of knowledge that deals with the construction, operation, programming, and applications of computers (Oxford English Dictionary)



Evoting of Electronic Voting system -

a voting system which involves electronic components, for example in the counting or vote collection processes.



Fault -

an error in software which may lead to undesired behaviour, for example data corruption or system crash.



Formal Methods -

a set of rigorous mathematical methods of software development, which can greatly reduce the number of faults in a software system.



Hardware -

the physical components of a computer.



Software -

the programs and other operating information used by a computer.



Software engineering -

the professional development, production, and management of software.



Source Code -

human readable instructions, written by software engineers, which describe the actions to be undertaken by a computer.