Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Electronic Voting in Ireland - A Threat to Democracy

  • 08-11-2003 12:44pm
    #1
    Closed Accounts Posts: 67 ✭✭


    Shane Hogan here, co-author of the Labour Party report on Electronic Voting . Some of the press coverage of our report has been misleading, so I'd like to set the record straight here.

    The Labour Party is in favour of Electronic Voting in principle. However, the manner in which Electronic Voting has been implement for the Dept of Environment in Ireland raises many serious concerns about the integrity of the voting process.

    The current system does not provide a Voter Verifiable Audit Trail (VVAT), which is becoming the generally accepted international minimum standard for eVoting systems. VVAT provides the voter with 100% confidence that their individual vote is recorded and counted accurately, by providing a paper-based backup to the electronic system.

    Other major concerns with the include;

    - A marked absence of control procedures regarding setup of the count centre PCs, security of the count centre PCs, restricting access to the count centre PCs, transferring data between count centre PCs by floppy disk, verification of software version on count centre PCs
    - No integrated end-to-end testing - each of the individual system components have been tested in isolation, but no integrated testing has been carried out. The testing of the IES counting software was done with the randomisation feature disabled, which does not reflect how the system will operate in the live environment.

    Our report also highlighted the fact that there is serious doubt about the promised cost savings. The saving in personnel required to count votes will be outweighed by the additional personal required to operate the voting machines, as each of the 7,000 voting machines requires a dedicated operator to enable the machine for each voter/vote.

    And finally, we recommended that the eVoting system in Ireland is put under control of an independent body, such as the Standards in Public Offices Commission, instead of being under the control of the Dept of Environment, which is effectively an arm of Government.

    Minister Cullen's response to our report was most disappointing. He attempted to divert attention from these key issues by questioning the credentials of the authors. [See section 7.3 of the report if you wish to satisfy yourself regarding the credentials of the authors]. His reference to problems with voters taking receipts out of the voting booth is curious, given that we never made any such recommendation. It appears that the Minister does not understand the basic principle of Voter Verifiable Audit Trail.

    I would encourage any interested voter from any party to read our report - I'll be happy to respond to any queries or issues in this forum.

    Regards - Shane


Comments

  • Closed Accounts Posts: 805 ✭✭✭vinnyfitz


    Hi Shane
    Thanks for opening up this debate here.
    I look forward to reading the report - but to start off I wonder whether it is possible to adapt the system which the DoE has bought so as to institute a VVAT or would we have to invest in a completely new system to solve this problem?

    V


  • Registered Users, Registered Users 2 Posts: 40,038 ✭✭✭✭Sparks


    Having read that report, a number of points. (I take it you can accept that most people posting here have formal qualifications in computer science or engineering and thus have professional opinions on this specific topic?)

    VVAT
    The VVAT is an excellent idea, but formal procedures for it's handling must be implemented - after all, the VVAT at the end of the day is nothing more than a printed list of votes without any possibility of authenticating the list independently if it was to be left unsecured for any length of time.

    Formal methods and public trust
    Formal Methods have nothing to do with a piece of software's trustworthiness. It's perfectly possible to analyse a piece of software wth formal methods without ever divulging the results. You could use formal methods (at least in theory) to verify a corrupt voting system without inconsistency. The problem would lie in the fact that Formal Methods as a branch of analysis is about two to three decades behind application software for complete analysis of a system. Chunks of a system can be formally analysed using Formal Methods, but not any whole system of any real complexity - and the evoting system itself comprises several complex systems. It's far beyond the abilities of the mathematics in the Formal Methods research domain to fully analyse, at least for the foreseeable future. As such, even talking about them is not much more than a display of technical ignorance of the e-voting system.

    What is required is not Formal Methods, but an Open Source policy, as was done in Austrailia's e-voting system, as described in this article recently. Source code, electronic schematics, documentation, bug reports and software updates must be made publicly available, and the public need to be able to point out errors and submit proposed corrections to fix those errors. The infrastructure for doing this in a secure fashion is already available and tested, as shown by large software projects like Mozilla, Postgresql, Linux and many others.

    This will necessitate the abandonment of proprietary systems alltogether unless the companies involved agree to the open source policy. This would be no bad thing - the idea that elections should be entrusted to Microsoft Access is mindbogglingly incompetent given it's reputation for being inappropriate for critical use.

    Datasets and independent analysis
    Not only must the final results be made available, so must the authenticated raw data from the polling booths so that results can be independently verified by any citizen with the desire to do so.

    None of the Above
    There is no "None of the Above" option available in the currently planned electronic ballot. Votes cannot be spoilt accidentally, but also cannot be spoilt in protest. Given that there were in excess of 18,000 spoilt votes nationwide in the last general election, this suggests that the right to refuse to elect any of the proposed list of candidates is something that's necessary to protect what few democratic rights we have.
    The None of the Above proposal should be accepted and implemented.


  • Closed Accounts Posts: 14,483 ✭✭✭✭daveirl


    This post has been deleted.


  • Closed Accounts Posts: 67 ✭✭ShaneHogan


    Originally posted by vinnyfitz
    I wonder whether it is possible to adapt the system which the DoE has bought so as to institute a VVAT or would we have to invest in a completely new system to solve this problem?

    V

    I don't have a definitive answer to this, but I believe it is unlikely. The current Nedap voting machines do have an integrated printer, but the printer is intended for low-grade usage, i.e. printing off a summary at the start/end of the day. I doubt if this printer would be up to the task of printing a paper vote for each/every voter. Also, for VVAT, it is essential the the paper vote is visible for inspection by the voter, but cannot be handled by the voter - it should feed directly into a ballot box. It is unlikely that the it would meet these requirements unless the voting machine/printer was specifically designed to operate in this manner.

    Hi Sparks
    Originally posted by Sparks
    The VVAT is an excellent idea, but formal procedures for it's handling must be implemented - after all, the VVAT at the end of the day is nothing more than a printed list of votes without any possibility of authenticating the list independently if it was to be left unsecured for any length of time.
    Agreed - the procedures for the current manual system would apply here.
    Originally posted by Sparks
    analyse a piece of software wth formal methods without ever divulging the results. You could use formal methods (at least in theory) to verify a corrupt voting system without inconsistency. The problem would lie in the fact that Formal Methods as a branch of analysis is about two to three decades behind application software for complete analysis of a system. Chunks of a system can be formally analysed using Formal Methods, but not any whole system of any real complexity - and the evoting system itself comprises several complex systems. It's far beyond the abilities of the mathematics in the Formal Methods research domain to fully analyse, at least for the foreseeable future.
    I don't claim expertise in Formal Methods - my partner in the report worked in this area. The requirement for Formal Methods was based on the importance of improved reliability and reduced bug count. This area was well covered in Margaret McGaley's research report from earlier this year.
    Originally posted by Sparks
    As such, even talking about them is not much more than a display of technical ignorance of the e-voting system.
    Charming! But given the basic lack of knowledge on our current eVoting system demonstrated by your next two points, people in glasshouses...
    Originally posted by Sparks
    Not only must the final results be made available, so must the authenticated raw data from the polling booths so that results can be independently verified by any citizen with the desire to do so.
    The raw data from the trial usage of the eVoting system is available - see Dublin County Returning Officer Electronic Voting Count Results
    Originally posted by Sparks
    There is no "None of the Above" option available in the currently planned electronic ballot. Votes cannot be spoilt accidentally, but also cannot be spoilt in protest.
    Not correct. If you apply for a vote, get your name crossed off the register, get a 'ticket' to vote and then you fail/refuse to hit the 'cast vote' button on the voting machine, your vote is treated as 'uncompleted'. Each voting machine operator much account for every uncompleted vote, and at the end of the day, the returning officer (or is it the presiding officer) much reconcile the number of votes applied for (i.e. the number of tickets issued), the number of votes completed and the number of votes not completed. These uncompleted votes are counted & tracked on special forms. The Dept did not release numbers of these uncompleted votes from the trial elections, but these would roughtly equate to the spoiled votes under the old system.

    Thanks - Shane


  • Registered Users, Registered Users 2 Posts: 1,733 ✭✭✭Zaphod


    I have an observation on this matter of a paper trail/verification of the electronic vote. In the current non-electronic system, a person casts their ballot, which is jumbled up with all the other ballots when it comes to the count. This ensures total anonymity.

    If there is a printer attached to an electronic voting machine, which prints a record of each vote cast onto a spool of paper, then there is a chronological record of how votes are cast. So, for example, in a referendum if a journalist sits outside the polling station when it opens and notes that Mr A goes in first to vote at 8.10am, Mr B goes in at 8.22am and Mrs C goes in a 8.35am, when it comes to the vote count he can look at the voting sheet and see that the first vote was Tá (Mr A), the second Níl (Mr B) and the third Tá (Mrs C). The principal of anonymity breaks down.

    I guess one possible solution would be to use specially modified printers, which would print the record onto individual 'voting tickets' which would be jumbled up just like the current ballots.


  • Advertisement
  • Moderators, Society & Culture Moderators Posts: 1,735 Mod ✭✭✭✭star gazer


    It's all well and good saying that evoting is good or bad for our democracy, but until we find out exactly what system is being employed and the Minister sets out his reasoning behind it and that of his experts, we can only speculate. We had a system employed in Nice 2 and the last general election but my understanding was that it was to be upgraded.
    Trust in the political process is important, trust in the voting system must be absolute. For the Minister to do all the work behind closed doors for so long after he has decided the system is the one he wants is intloerable.
    Let's see it.


  • Registered Users, Registered Users 2 Posts: 40,038 ✭✭✭✭Sparks


    Originally posted by ShaneHogan
    I don't claim expertise in Formal Methods - my partner in the report worked in this area. The requirement for Formal Methods was based on the importance of improved reliability and reduced bug count. This area was well covered in Margaret McGaley's research report from earlier this year.
    I've read that report already and I'm not convinced of her conclusions regarding formal methods. I'd recommend you contact the Formal Methods Research Group in TCD's Computer Science Department for a more definitive statement (my specific area is robotics, not formal methods, I have only informal contact with that research group), but even McGaley's cited source (Halloway) states that Formal Methods isn't yet usable on large complex systems.

    On top of which, it couldn't be used on the current system since the current system is based on Microsoft Access, a closed-source database which hasn't been analysed using such methods, is arguably too large to do so, and whose source could not be made public in any event.

    McGaley does make the point several times though, that the source code for the system must be publicly available, which is the foundation of the Open Source way of doing things and which is how the Austrailian system works.
    Charming!
    Perhaps not, but accurate nonetheless. You asked for opinions, that's my professional one as a computer engineer, and also my first impression after listening to the discussion on this topic on the RTE 1300 news last week. If you'd wanted tact, I'm not the man to ask for, as many here will tell you, but I have the saving grace of being honest.
    But given the basic lack of knowledge on our current eVoting system demonstrated by your next two points, people in glasshouses...
    The raw data from the trial usage of the eVoting system is available - see Dublin County Returning Officer Electronic Voting Count Results
    That I didn't know of, but I've never seen the site before.
    Which would seem to point to another requirement for an evoting system - that there be a central, well-known point to access all data and news relating to it. Is that site pointed to from anywhere in the oasis.gov.ie site or anywhere more public?
    Not correct.
    <snip>
    These uncompleted votes are counted & tracked on special forms. The Dept did not release numbers of these uncompleted votes from the trial elections, but these would roughtly equate to the spoiled votes under the old system.
    They may be analagous but they're not the same. In fact, they're even less noticable if they don't even release the number of uncompleted votes.

    And you still have no valid "none of the above" option. If the objective is to decrease voter apathy and increase turnout, providing the option would appear to be a positive step.


  • Closed Accounts Posts: 67 ✭✭ShaneHogan


    Originally posted by Zaphod
    I guess one possible solution would be to use specially modified printers, which would print the record onto individual 'voting tickets' which would be jumbled up just like the current ballots.

    Hi Zaphod.
    It is a basic principle of VVAT that individual voting tickets would be printed and fed into a ballot box. This was certainly what we intended with the recommendation "Once the voter confirms that the receipt is correct, the printed ‘receipt’ automatically goes into a ballot box & the vote is also stored electronically". I realise that we did not explicitly emphasise that each receipt would be individual - we will certainly clarify this point in any future publications.

    You highlight the key challenge in relation to eVoting systems - how to provide a Voter Verifiable Audit Trail while protecting the anonymity of the voter.

    Hi Star Gazer
    Originally posted by star gazer
    It's all well and good saying that evoting is good or bad for our democracy, but until we find out exactly what system is being employed and the Minister sets out his reasoning behind it and that of his experts, we can only speculate. We had a system employed in Nice 2 and the last general election but my understanding was that it was to be upgraded.
    Trust in the political process is important, trust in the voting system must be absolute. For the Minister to do all the work behind closed doors for so long after he has decided the system is the one he wants is intloerable.
    Let's see it.

    Most of the details of the system to be used are in the public domain. The only details not in the public domain AFAIK are the source code and the contractual details. There are no significant upgrades planned to the system that was used in the trials during the last general election (3 constituencies) and Nice II (7 constituencies). See our report for more details.

    Hi Sparks
    Originally posted by Sparks
    Perhaps not, but accurate nonetheless. You asked for opinions, that's my professional one as a computer engineer, and also my first impression after listening to the discussion on this topic on the RTE 1300 news last week. If you'd wanted tact, I'm not the man to ask for, as many here will tell you, but I have the saving grace of being honest.

    I'm still not convinced that your claim that even talking about formal methods was "not much more than a display of technical ignorance of the e-voting system" was either accurate or honest. Having reviewed piles of harcopy & softcopy documentation from the Dept of Environment, reviewed international papers on eVoting and prepared/reviewed/finalised this substantial report, I would humbly suggest that I am not ignorant of the eVoting system. I would humbly suggest that I know more about the eVoting system than anyone who has not devoted considerable time & effort to this specific implementation.

    Now if you had chosen to cast aspersions on my experience of Formal Methods, you might have a reasonable arguement. But you didn't - you accused me of "not much more than a display of technical ignorance of the e-voting system". This is not accurate.
    Originally posted by Sparks
    They may be analagous but they're not the same. In fact, they're even less noticable if they don't even release the number of uncompleted votes.
    True. The Dept really should be reporting these non-completed votes. I guess it might be possible to get this information under an FOI request if the Dept don't start publishing it.


  • Registered Users, Registered Users 2 Posts: 40,038 ✭✭✭✭Sparks


    Originally posted by ShaneHogan
    I'm still not convinced that your claim that even talking about formal methods was "not much more than a display of technical ignorance of the e-voting system" was either accurate or honest.
    I don't see why not - formal methods have nothing to contribute to the problem of developing a trustworthy e-voting system. In fact in their present state of development, I do not believe they could even be used on the system as a whole.
    Having reviewed piles of harcopy & softcopy documentation from the Dept of Environment, reviewed international papers on eVoting and prepared/reviewed/finalised this substantial report, I would humbly suggest that I am not ignorant of the eVoting system. I would humbly suggest that I know more about the eVoting system than anyone who has not devoted considerable time & effort to this specific implementation.
    Now if you had chosen to cast aspersions on my experience of Formal Methods, you might have a reasonable arguement. But you didn't - you accused me of "not much more than a display of technical ignorance of the e-voting system". This is not accurate.

    So what you're saying is that after devoting considerable time and effort to studying the e-voting system, you're of the opinion that Formal Methods, a system which I've heard dismissed for practical use today by the very researchers working on them, is the key requirement?

    Let me ask you a question then - why put such emphasis on Formal Methods, which do not in any event ensure trustworthiness (they're only designed to ensure that a program does what it's specification says it should, regardless of that specification), while not putting as much emphasis on Open Source development methods and the need for the system to be totally in the Public Domain?
    True. The Dept really should be reporting these non-completed votes. I guess it might be possible to get this information under an FOI request if the Dept don't start publishing it.
    For only twenty euros...
    Not the optimal solution.
    The "None of the Above" option being made a valid choice would be a far better solution.


  • Registered Users, Registered Users 2 Posts: 40,038 ✭✭✭✭Sparks


    Originally posted by ShaneHogan
    Most of the details of the system to be used are in the public domain. The only details not in the public domain AFAIK are the source code and the contractual details. There are no significant upgrades planned to the system that was used in the trials during the last general election (3 constituencies) and Nice II (7 constituencies). See our report for more details.

    Shane, if the source code and electronic schematics of the system are not available in the public domain, you might as well chuck the rest of the details out the window, because you have absolutely no way of verifying that the system they describe is the system you're using. The disparity between what the documentation says the system is or does, and what it is or does in reality, is so well-known to be invariably large that it's the source of more jokes than I've had hot dinners.

    As to upgrades, the process of applying hardware or software upgrades must be formalised - as shown in the US in the last week, patching of software hours before an election has happened in the past, and unless the procedure for doing so is formalised and the software itself checked on the day in a formal manner, you can discard all available information on the system completely, as unverifiable and useless.


  • Advertisement
  • Closed Accounts Posts: 67 ✭✭ShaneHogan


    Originally posted by Sparks
    I don't see why not - formal methods have nothing to contribute to the problem of developing a trustworthy e-voting system. In fact in their present state of development, I do not believe they could even be used on the system as a whole.
    This is your opinion - not one which I agree with, or which most of the other researchers who have reviewed this topic seriously agree with, but it is your opinion, and I respect it as such. I see no reason how you came to a conclusion that an opposing opinion shows 'not much more than technical ignorance of the eVoting system'. At best, you could accuse me of not being an expert on formal methods, but your accusation of showing 'not much more than ignorance on the eVoting system' just doesn't stand up.
    Originally posted by Sparks
    So what you're saying is that after devoting considerable time and effort to studying the e-voting system, you're of the opinion that Formal Methods, a system which I've heard dismissed for practical use today by the very researchers working on them, is the key requirement?
    It is one of several recommendations in the report. The fact that it is a system which you have heard dismissed during your 'informal contact' with that research group does not strike me as having substantial weight in this debate. If I tell you that my mate told me that the system is really great, would you accept that? Of course not.
    Originally posted by Sparks
    Let me ask you a question then - why put such emphasis on Formal Methods, which do not in any event ensure trustworthiness (they're only designed to ensure that a program does what it's specification says it should, regardless of that specification), while not putting as much emphasis on Open Source development methods and the need for the system to be totally in the Public Domain?
    Our report doesn't put 'such emphasis' on formal methods. It is one of several recommendations. We recognised that it is too late for it to be applied to the current system and recommended that it be used for any future system. We also recommended that the code be placed in the public domain.
    Originally posted by Sparks

    For only twenty euros...
    Not the optimal solution.
    Agreed.
    Originally posted by Sparks

    Shane, if the source code and electronic schematics of the system are not available in the public domain, you might as well chuck the rest of the details out the window, because you have absolutely no way of verifying that the system they describe is the system you're using. The disparity between what the documentation says the system is or does, and what it is or does in reality, is so well-known to be invariably large that it's the source of more jokes than I've had hot dinners.
    See section 5.2 of our report for recommendation to release the source code into the public domain.
    Originally posted by Sparks

    As to upgrades, the process of applying hardware or software upgrades must be formalised - as shown in the US in the last week, patching of software hours before an election has happened in the past, and unless the procedure for doing so is formalised and the software itself checked on the day in a formal manner, you can discard all available information on the system completely, as unverifiable and useless.
    See section 5.4 of our report for recomendations to avoid tampering with software.


  • Registered Users, Registered Users 2 Posts: 40,038 ✭✭✭✭Sparks


    Originally posted by ShaneHogan
    This is your opinion - not one which I agree with, or which most of the other researchers who have reviewed this topic seriously agree with, but it is your opinion, and I respect it as such. I see no reason how you came to a conclusion that an opposing opinion shows 'not much more than technical ignorance of the eVoting system'. At best, you could accuse me of not being an expert on formal methods, but your accusation of showing 'not much more than ignorance on the eVoting system' just doesn't stand up.
    Then let me explain it more basicly.
    The e-voting system's requirements list does include that it should be error-free, but more importantly than that, it should be uncorrupted - that is, it should implement a fair election rather than implementing a corrupt (in the political sense) system. That this can happen is well-known, as you can verify, having studied the Diebold cases in the US, where many voting systems were accessed during the voting period in ways proscribed by federal law, in some cases undetectably.

    Fufilling this requirement that the system should implement a fair election cannot be achieved through the use of formal methods. At all. Ever. They are completely the wrong tool for the job. It would be like trying to use algebra to hammer a nail into a piece of wood.

    What is needed to fufill that requirement is an Open Source approach, as shown by the Austrailian efforts in this area that I linked to above.
    Formal Methods are just (in effect) irrelevant. They wouldn't catch source code bugs, they wouldn't prevent subversion of the system by a programmer, and they cannot ensure that the public can trust the system. To recommend them as critical to an eVoting system implies (in the best case scenario) that you don't understand the technology in an eVoting system - which is a critical failing for someone proposing policy in this area. And since the only difference between our normal voting system and an evoting system is the technology, it follows that saying that Formal Methods are critical to such a system implies insufficent understanding of that system.
    Clearer?
    The fact that it is a system which you have heard dismissed during your 'informal contact' with that research group does not strike me as having substantial weight in this debate. If I tell you that my mate told me that the system is really great, would you accept that? Of course not.
    It depends. If it's just "your mate down the pub", you'd be correct. If, on the other hand, it was a senior lecturer in the computer science department who happened to be the head of the formal methods research group, and he was responding to a direct question on whether or not formal methods were currently usable for complex systems, I might give his opinion more weight.
    Wouldn't you?
    Remember, "informal contact" in an academic environment like the one I work in doesn't mean a chat over a pint, it just means that it wasn't published in a journal or a conference proceedings.
    Our report doesn't put 'such emphasis' on formal methods.
    Actually it does. It says they're critical, in section 5.2
    See section 5.2 of our report for recommendation to release the source code into the public domain.

    5.2 confuses formal methods and availibility of source code in an overly vague manner, and it doesn't handle the availability issue properly.
    5.2 No Formal Methods used in development of software
    Formal methods refers to a set of mathematically-based techniques that are used in the development of safety-critical software, such as airplane navigation systems or life-support machines.

    In the analysis actually, not during the development process. Formal methods don't come into the development process until after the design is complete. They're effectively a testing procedure.
    These techniques make it possible to mathematically prove, or at least significantly raise, the accuracy of the software. However, software development using formal methods can be slower than traditional methods and the skills required are typically more expensive. While DoEHLG have not made the actual source code publicly available, it is clear from the technologies used and the source code review that formal methods were not used in development of either the IES system or the Nedap voting machines.

    As I've said before, if you don't see the source code, the other documents are worthless because there's no way to verify them. Which means that you can't make any judgements from those documents. What makes it clear that formal methods weren't used is the fact that a central part of the Nedap system is Microsoft Access - and the source code for that database system isn't publicly available and therefore couldn't be analysed with formal methods, even if the complexity of the system didn't preclude that avenue, which it does.
    Therefore (unless these systems are absolutely unique in the world of software development), we know that there must be bugs in the software it is just a question of how many bugs and how significant they are.

    Formal methods don't pick up bugs. They pick up design errors. One level of abstraction up. Also, you've omitted that a major source of bugs would be the external software (Microsoft Access in this case as well as any other external software used) which can be changed without warning and which cannot be verified without source code which is not publicly available.
    That's just not acceptable for a system designed to elect the government.
    Recommendation: We recommend that DoEHLG releases the source code and test results of both the IES system and the Nedap software to public review, in order to independently assess the quality and reliability of the software.

    This is important, but phrased like this, quickly becomes worthless. The code must not just be released to public domain, it must be maintained in the public domain, in the same manner as other Open Source projects. Otherwise, the system in the box on election day could be totally different from the previously released system. For example, I can get access to every release of the web browser Mozilla, going back to it's first version, and I can get the changelogs explaining the differences between each and every version, who made the changes and why. I can get access to every known bug, as and when the developers get it, and if I come up with a solution to that bug, there's a method to submit my solution in a secure manner (so as to prevent me writing a fix to a bug that actually subverts the system). Large software packages have been done in this way for years now and the techniques and tools required are not only well-developed, but are publicly available.
    The release of the source code in the public domain will ensure that the system in analysed by a broad range of experts in Ireland and beyond. This would also help to reassure the public that there is nothing to hide . These independent assessments will allow for public confidence in the software used to drive the electronic voting system. We also recommend that formal methods be used considered a key requirement for any future electronic voting systems for Ireland.

    Formal Methods can't be a key requirement, they're not industry-ready yet. And Open Source methods must be a key requirement, but you should be specifying that seperately and not mixing the two together like that, because they're very different things.
    See section 5.4 of our report for recomendations to avoid tampering with software.

    5.4 doesn't go far enough. It is possible in hardware to ensure that the voting system is placed on a read-only medium so that changes cannot be written to it. Failing a hardware approach, unix-based operating systems can designate specific disks to be read-only in software. There needs to be a designated period before the election where changes cannot be made to the software to allow independent observers time to analyse the software, and such independent observers should be contracted to do so.


  • Closed Accounts Posts: 67 ✭✭ShaneHogan


    Thanks for your valuable feedback. I'll give it all the attention it deserves.


  • Registered Users, Registered Users 2 Posts: 40,038 ✭✭✭✭Sparks


    As a seperate question Shane, did you consult with the Electronic Frontier Foundation or attempt to contact the original members of the Irish branch, Electronic Frontier Ireland?
    This area is precisely in their area of expertise.


  • Technology & Internet Moderators Posts: 28,830 Mod ✭✭✭✭oscarBravo


    ...transferring data between count centre PCs by floppy disk...
    ...a central part of the Nedap system is Microsoft Access...
    Jesus wept! What sort of friggin' amateurs are we dealing with here??


  • Registered Users, Registered Users 2 Posts: 1,695 ✭✭✭dathi1


    Sparks..forgive my ignorence..the platform used on Nice 2, was it Microsoft based?

    Thanks for the education.


  • Registered Users, Registered Users 2 Posts: 40,038 ✭✭✭✭Sparks


    Originally posted by dathi1
    ]Sparks..forgive my ignorence..the platform used on Nice 2, was it Microsoft based?
    Thanks for the education.
    As far as I know, Nedap's system was used for the Nice 2 referendum, which is based on Microsoft Access.
    As are some of the US evoting schemes, which have been found to have .... interestingly complex tally schemes. As in :
    Votes come in in Access database A, get copied to database B and then tallied into database C.
    Meaning that you could play about undetected with database B, because it's never displayed anywhere to the operators.


  • Registered Users, Registered Users 2 Posts: 414 ✭✭Paddyo


    This certainly is an education.

    Microsoft Access????? Great for amateur users to setup their address books using wizards - until the database becomes corrupt.

    I have been a programmer for nearly 20 years now. You can have all of your Formal Methods, Structured Metohdoligies, Flow charts etc - these al reflect what should be done.

    What is actually done, and what is most important is written in the code. The only way to absolutely verify code is to see it.

    Im with sparks on this one.

    Just one point sparks..
    You say that we would need to be able to see the MS Access code. Would we also need to see the OS Code, and all of the other code on chips in the computer. I know Im being a bit of a prat - but isnt it the logical conclusion?


    MS Access - I still cant believe it. A text file would be safer!

    Paddyo


  • Closed Accounts Posts: 2,862 ✭✭✭mycroft


    http://www.truthout.org/docs_03/110403E.shtml


    Diebolt using copyright laws to supress free speech.

    Diebolt are the builders of the the US's electronic voting system


  • Registered Users, Registered Users 2 Posts: 40,038 ✭✭✭✭Sparks


    Originally posted by Paddyo
    Just one point sparks..
    You say that we would need to be able to see the MS Access code. Would we also need to see the OS Code, and all of the other code on chips in the computer. I know Im being a bit of a prat - but isnt it the logical conclusion?
    Right down to the schematics of the polling booth machines Paddyo. Which is why those details are all available for the Austrailian system, and the OS they use is linux.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 414 ✭✭Paddyo


    Right down to the schematics of the polling booth machines Paddyo. Which is why those details are all available for the Austrailian system, and the OS they use is linux.

    And I presume the workstations or other equipment which would be used in transferring and tallying the results.


    Paddyo


  • Closed Accounts Posts: 805 ✭✭✭vinnyfitz


    More support for your VVAT argument Shane here. I must say its hard to argue against this standard.

    But isn't this an appalling vista for Minister Cullen? 35 million Euro down the drain or can the machines be adapted?


  • Closed Accounts Posts: 7,230 ✭✭✭scojones


    As long as it's an opensource e-voting system then i'm all for it!


  • Closed Accounts Posts: 67 ✭✭ShaneHogan


    Originally posted by vinnyfitz
    More support for your VVAT argument Shane here. I must say its hard to argue against this standard.

    But isn't this an appalling vista for Minister Cullen? 35 million Euro down the drain or can the machines be adapted?
    Hi Vinny - Sorry for delay in responding. That UK site give the best explanation of VVAT that I've seen so far.

    In relation to your appaling vista question, I guess that it why the minister & the dept are scrambling so hard to protect the reputation of their chosen system. I think it is unlikely that the current Nedap machines could be retro-fitted for VVAT - see discussion earlier in this thread, though I can't be 100% sure on this point.

    Just to get back to the 'formal methods' issue, I was contacted by staff of Praxis Critical Systems, a UK business who make their living from the development of high-integrity systems. Interestingly enough, they are not planning on closing down their business and walking away, based on the news from Sparks/TCD that "Formal Methods as a branch of analysis is about two to three decades behind application software for complete analysis of a system". Their view is that Formal Methods would certainly be quite appropriate for specification and/or development of an eVoting system. Feel free to read their report here. Taking their view and the research report from McGaley/Gibson (both with strong academic backgrounds in formal methods), I'm comfortable that our recommendation re. formal methods stands up.

    But formal methods isn't the core issue - neither is open source, or security procedures. The core issue is VVAT - Voter Verifiable Audit Trail - once we have VVAT, there is no incentive for anyone to attempt to break the system, as the paper-based backup is the primary source in case of any dispute or inquiry. Keep an eye on the Irish eVoting mailing list as more & more worrying news regarding the Irish system leaks out.

    Regards - Shane


  • Moderators, Society & Culture Moderators Posts: 1,735 Mod ✭✭✭✭star gazer


    It would seem common sense that there would be a paper trail.


  • Banned (with Prison Access) Posts: 16,659 ✭✭✭✭dahamsta


    I sent this out to two Cork techie mailing lists this morning. Obviously the details are localised but you get the picture. Please do get in touch with any of the TD's or senators mentioned if they represent you in some way.

    adam
    From: adam beecher
    Sent: 24 November 2003 11:26
    To: CorkWAN Discuss
    Subject: FW: [E-voting] Oireachtas joint committee examining voting
    machines on2003/11/25

    Sorry for the off-topic post. An Oireachtas committee will meet tomorrow at 2:30 to discuss electronic voting with Martin Cullen, the Minister responsible. As people that understand technology and communications, electronic voting in Ireland should concern you, particularly the closed and questionable system our government wants to implement.

    At least two Cork TD's - Billy Kelleher (FF, Cork North Central) and Bernard Allen (FG, Cork North Central) - will be in attendance, so if you have a moment please contact them to express your concerns -- you'll find contact details on the websites below. Fax would be preferable at this late stage.

    http://www.finegael.ie/Representatives/representatives.cfm?id=12&TD_Key=18
    http://www.bernardallentd.com/

    http://www.fiannafail.ie/td_cv_67.htm
    http://www.billykelleher.com/

    Here are a few suggested questions you can ask:

    - Will the Minister personally vouchsafe that testing carried out on the Nedap/Powervote system was 100% independent?
    - Will the Minister agree to a code review and security audit by members of the Irish developer community?
    - Will the Minister halt all spending on voting machines until this review has taken place?
    - Does the Minister agree that a Voter Verifiable Audit Trail (VVAT) should be manadatory for electronic voting systems?

    Please bear in mind when considering this subject that if electronic voting goes unchallenged, the government will almost certainly roll voting machines out across the country in next year's local elections. Your money will buy these machines -- do you know enough about them to trust them with your vote?

    The members of the committee are listed below. If there are any other relevant TD's or senators, please contact them also. You can read more about electronic voting in Ireland and/or browse mailing list archives discussing the subject here:

    http://evoting.cs.may.ie/

    Thanks,
    adam


    >
    Original Message
    > From: e-voting-bounces@lists.stdlib.net
    > [mailto:e-voting-bounces@lists.stdlib.net]On Behalf Of Adrian Colley
    > Sent: 24 November 2003 10:25
    > To: Irish Citizens for Trustworthy Evoting
    > Subject: [E-voting] Oireachtas joint committee examining voting machines
    > on2003/11/25
    >
    >
    > According to <URL:http://www.gov.ie/oireachtas/sch-week.htm>, the
    > Oireachtas Joint Committee on Environment and Local Government will
    > meet tomorrow at 2.30pm with these agenda:
    > > Discussion with Minister for the Environment and Local Government on
    > > electronic voting and Presentation by Department Officials on the
    > > Nedap Voting System.
    >
    > The members of the joint committee are:
    > Bernard Allen TD (FG) John Cregan TD (FF)
    > Ciarán Cuffe TD (Green) Eamon Gilmore TD (Lab)
    > Noel Grealish TD (PD) Seán Haughey TD (FF)
    > Jackie Healy-Rae TD Billy Kelleher TD (FF)
    > Padraic McCormack TD (FG) John Moloney TD (FF)
    > Seán Power TD (FF) Sen. James Bannon (FG)
    > Sen. Cyprian Brady (FF) Sen. Michael Brennan (FF)
    > Sen. Michael McCarthy (Lab)
    >
    > This might be a good opportunity to enlighten some souls. Perhaps
    > someone could contact this lot on behalf of our little group,
    > providing some appropriate questions for the Minister and his
    > minions? Margaret? Catherine? One of my local TDs is in the list,
    > so I'll be talking to him before the Committee meetings; it mightn't
    > be a bad idea if others here do something similar.
    >
    > --Adrian.
    >
    > --
    > GPG 0x43D3AD19 17D2 CA6E A18E 1177 A361 C14C 29DB BA4B 43D3 AD19
    > http://user-aecolley.jini.org/
    >


  • Registered Users, Registered Users 2 Posts: 78,579 ✭✭✭✭Victor


    I just found this, dated 30 October 2002.

    http://www.environ.ie/
    Media Centre > Press Releases > Minister Cullen, roll out of electronic voting for 2004 Local Government and European Parliament Elections 30 October2002

    Minister Cullen announces roll out of electronic voting
    for 2004 Local Government and European Parliament Elections

    Mr Martin Cullen TD, Minister for the Environment and Local Government has today (30th October) announced that electronic voting will feature in all electoral areas for the 2004 Local Government and European Parliament Elections. Minister Cullen made the announcement following today's cabinet meeting.

    Announcing the extension, Minister Cullen stated that the success of electronic voting was clear to see at the recent Nice Referendum. 7 constituencies used electronic voting at the referendum with results for each announced within three hours of the close of polls.

    Minister Cullen said: "Following the successful introduction of the electronic system at the May 2002 general election and at the Nice referendum, I am delighted to announce that the Government have decided to use electronic voting and counting throughout the country in the European and Local elections in 2004.

    "Reaction to the electronic experience has been overwhelmingly positive both from voters and from electoral administrators and I will be pressing ahead immediately with the planning for the 2004 polls. I am convinced that electronic voting will make it easier for the public to vote, will improve the efficiency of electoral administration, will provide earlier results, will support a positive image of the country in its use of information technology and will help to modernise the democratic process in all its facets.

    "Presentation of results, marrying the new electronic system with the more traditional methods of the past is now the priority. I believe every count centre should have a large screen where the results of each count are shown. This enables everyone involved – candidates, voters and the media to see results clearly, who is elected, who is eliminated, where transfers are going and the trends emerging", he said.

    A publicity campaign will be run nationwide in the lead up to the 2004 elections to inform voters on the operation of the voting machine.

    The nation-wide rollout will involve the use of almost 7,000 voting machines in 267 local electoral areas.

    Electronic voting was first used at the general election in May of this year in the constituencies of Meath, Dublin North and Dublin West and was rolled out in a further four constituencies (Dublin Mid West, Dublin South West, Dublin South and Dun Laoghaire) at the recent referendum.

    ENDS


  • Closed Accounts Posts: 805 ✭✭✭vinnyfitz


    Well Yes I think that this is this plan which Shane is writing about.

    The way I see it though, its a bit late to be complaining about NEDAP Powervote now. Those 7000 machines must have been ordered (and paid for?) months ago. The main question, which no one seems to be able to answer, is whether they can be adapted swiftly to provide a VVAT and, if not, whether the level of risk in using them without a trail is so great that we should either mothball them untill someone designs and manufactures the printers and glass tubes and so we can all see the paper copies of our votes before they go down the enclosed chute into the sealed, reserve, ballot boxes?

    Is it worth delaying the commissioning of these machines for a couple of years? Are people arguing that Council or MEP elections are so rigourously contested that we are at risk of IT fraud? That will probably be the debate in the Dáil committee tomorrow.


  • Moderators, Society & Culture Moderators Posts: 1,735 Mod ✭✭✭✭star gazer


    Given that Cullen seemed only to come up with the advantage of speed for electronic voting and that it will look good doesn't signify a sufficient case for taking the risk (however small) of changing the voting and vote-counting system in the country.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 40,038 ✭✭✭✭Sparks


    Well, this topic was just brought up on Questions and Answers, though quite unsatisfactorially in my opinion. No-one pointed out that noone knows how these machines work, or whether or not they're secure. Rather poor, that. At least someone pointed out the storage cost (50,000 euro per year per constituency!).


  • Registered Users, Registered Users 2 Posts: 15,443 ✭✭✭✭bonkey


    In other recent news, the US have pulled the idea of using internet-voting for overseas voters, following a government-comissioned study which found that it was just not secure enough.

    Right decision, taken for the right reasons : Analyse, get the decision, and go with it.

    Why can't our government do things that simply????

    jc


  • Closed Accounts Posts: 58 ✭✭pooka


    Originally posted by Sparks
    Well, this topic was just brought up on Questions and Answers, though quite unsatisfactorially in my opinion. No-one pointed out that noone knows how these machines work, or whether or not they're secure. Rather poor, that. At least someone pointed out the storage cost (50,000 euro per year per constituency!).

    I thought it went well, considering. Certainly for anyone from the public watching that debate, it will be apparent that the proposed electronic voting is untrustworthy.

    I thought my point (I was the chap with the beard; it was about how difficult it has been to get information on this system) should have made it clear that we have only a limited understanding of the system, and that this is a problem in itself.

    From the access we have been able to get, things look quite bad; one example of the seemingly amateur way this whole system has been developed is that while three entities - the developers, the code reviewers, and the testers - were working together on tracking problems with the system, they did not even use a formal bug tracking method.

    Unfortunately Margaret didn't get to rebuff the Minister's points about e-voting, and Bowman interrupted her before she could discuss the addition of a voter verified audit trail. Also, the debate was rushed because Bowman wanted to get through his topics, which is a shame considering that so much time was spent on less important matters (the presidency and that bloody jungle thing).

    It was a good day for the ICTE (http://www.evoting.cs.may.ie). When you're dealing with the media, you have to be aware that important points just won't get made. Considering the time given to it, the debate went well, and I think the public are rather uncertain about this system. Hopefully this will help to keep it in the spotlight.

    Cian

    PS. I haven't read this thread before, but with regards to the barney over formal methods: I would agree that using them for large, complex systems is not an option. However, the PR-STV count rules could certainly be formally analysed and specified; this would aid greatly in the trustworthiness of the count software. It would also be a good exercise in throwing up requirements implicit in the legislation. As Sparks points out, however, all that can go in the bin if the system is not open to public scrutiny. From what data we have been able to gather, it looks like the specification document for the count has undergone 8 revisions, going from a very tight spec to something that looks quite messy. I hate to think what the code looks like at this stage.


  • Registered Users, Registered Users 2 Posts: 40,038 ✭✭✭✭Sparks


    Originally posted by pooka
    I thought it went well, considering. Certainly for anyone from the public watching that debate, it will be apparent that the proposed electronic voting is untrustworthy.
    Having watched it, I'd have to say that that's not a fair conclusion. The case wasn't decisively made :(
    I thought my point (I was the chap with the beard; it was about how difficult it has been to get information on this system)
    *sound of cogs turning*
    Ah! Right, with you now...
    should have made it clear that we have only a limited understanding of the system, and that this is a problem in itself.
    Er, no. I could see what you were trying to say but only because I knew it beforehand. You were referring to "the information" rather than saying exactly what was being sought from the department. To be honest, I did rather get the impression that the initial panel presentation didn't go according to plan - there was the potential there to list off the key problem points, which was sadly missed. But then, that's easy to know sitting on the couch with a mug of tea in your hand - sitting in front of a hundred people under hot lights and TV cameras is something else altogether.
    From the access we have been able to get, things look quite bad; one example of the seemingly amateur way this whole system has been developed is that while three entities - the developers, the code reviewers, and the testers - were working together on tracking problems with the system, they did not even use a formal bug tracking method.
    *sound of Sparks choking on his tea*
    They weren't even using something like Bugzilla?

    Unfortunately Margaret didn't get to rebuff the Minister's points about e-voting, and Bowman interrupted her before she could discuss the addition of a voter verified audit trail. Also, the debate was rushed because Bowman wanted to get through his topics, which is a shame considering that so much time was spent on less important matters (the presidency and that bloody jungle thing).
    Yes, that really pissed me off I have to say. Grand, fine, you've got Michael D on and you want to get to be the first to ask him live on air whether or not he's going for the job - but FFS, the voting is just as important. And that last question - why do RTE feel the need to bring in the kind of humour you normally see reserved for the worst parts of the letters page in the Irish Times?
    :rolleyes:


  • Moderators, Society & Culture Moderators Posts: 1,735 Mod ✭✭✭✭star gazer


    originally posted by bonkey
    Why can't our government do things that simply????
    That's rhetorical right? ;)

    To back down now would be deeply embarrassing and the money could well prove to have been wasted and when Fianna Fail have just had a good opinion poll result and seemed to be getting away from the broken promises theme, they don't want to be seen wasting 40 million on a system that is being proven to be poorly thought through and not the best available. Also there is a PR contract for 4.5million, which probably has been commited to.


  • Closed Accounts Posts: 58 ✭✭pooka


    Originally posted by Sparks
    Having watched it, I'd have to say that that's not a fair conclusion. The case wasn't decisively made :(
    Ah well. Shame.

    *sound of Sparks choking on his tea*
    They weren't even using something like Bugzilla?
    Nope. No bug IDs, just informal descriptions. Fixes without regression testing. A complete disaster, really. Hm. I'm being overly technical on the Politics board. My apologies. :o)

    Cian


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 40,038 ✭✭✭✭Sparks


    Originally posted by pooka
    Ah well. Shame.
    True, but it's just one programme. There'll be others. Perhaps having a list of central points expressed in single short sound bites to go through would be helpful?
    Nope. No bug IDs, just informal descriptions. Fixes without regression testing. A complete disaster, really.
    Oh for crying out loud....
    Hm. I'm being overly technical on the Politics board. My apologies. :o)
    On this point, I think that the technical details are the important point. Evoting itself, as a concept, is sound - it's the implementation that's the problem.

    Besides, it's a computer bulletin board, I think at least some technical knowlege can be assumed :D


  • Registered Users, Registered Users 2 Posts: 15,443 ✭✭✭✭bonkey


    Originally posted by star gazer
    To back down now would be deeply embarrassing
    US Administration is backing down in an election year.....so I don't think its that embarrassing.

    You comission an independant review...which you know will say "no, its still not secure enough", and you withdraw the project from use out of concern for the validity of the electoral process, until such times as its accuracy can be acceptably proven.

    Nothing embarrassing about that. Saying its in the best interests of democracy isn't even that much of a spin.
    and the money could well prove to have been wasted
    It has been wasted.

    However, do you admit that now, or wait till more has been wasted, and the machine comes back to bite you in the ass after it has rendered some election questionable or invalid??????

    and when Fianna Fail have just had a good opinion poll result and seemed to be getting away from the broken promises theme, they don't want to be seen wasting 40 million on a system that is being proven to be poorly thought through and not the best available.
    If it was well thought out, and the best available, it was still a waste of 40 million.

    You don't back down saying "our system is not good enough", you back down saying "no system at present is good enough, and that includes the one we backed".....which isn't actually untrue.

    Its a case of "when" and not "if" that this system will bite the government in the backside. Bearing that in mind....I would have thought "sooner rather than later" is the way to go...especially when they have a small buffer of goodwill to cash in on.


    jc


  • Moderators, Society & Culture Moderators Posts: 1,735 Mod ✭✭✭✭star gazer


    originally posted by bonkey
    Its a case of "when" and not "if" that this system will bite the government in the backside. Bearing that in mind....I would have thought "sooner rather than later" is the way to go...especially when they have a small buffer of goodwill to cash in on.
    I tend to agree, the development of the system has serious flaws leading to a system that isn't going to be transparent enough to prevent errors being made or the outside chance of maliscious intervention being detected. The government do appear to be backing themselves into a corner by continuing to defend the system, when all the issues in evoting forum and in the media. It will take courage from the government to admit the system isn't up to best international standard, i hope there is that courage in government.


Advertisement