In the previous article in this series we took a look at the most relevant examples of countries that have considered, have used or are currently using various electronic voting systems. Now, we will take a look at the problems found by researchers when analyzing these systems and at how the various election organizers handled the researchers'' reports. Due to the large amount of available information, this is just the first part of a two-part article.
As mentioned in the previous article, after a number of trials, Australia has rejected electronic voting at the federal level. The Australian Parliament's final report triggered by the security issues encountered during the 2013 elections came out in early 2015 and is as clear as possible on the issue of electronic voting: “The Committee analysed the benefits and risks associated with electronic electoral processes both in Australia and internationally. We concluded that to introduce large-scale electronic voting in the near future would dangerously compromise federal electoral integrity. Subsequent events at the 2015 New South Wales state election with the iVote system suggest that the Committee’s cautious approach was warranted. At the same time, recognising the benefits of technological advancement, the Committee made targeted recommendations to safely make better use of technology in the electoral process.” (Consolidated report, Foreword, page x, paragraph 4).
Of note is the reference to the iVote remote Internet voting system implemented in New South Wales, based on remote Internet voting machines from Scytl, which has been in use since 2010 and it seems to be an endless source of security problems. The last one surfaced after the release of the Australian Parliament report: in March 2015 a team of security researchers formed of J. Alex Halderman from the University of Michigan and Vanessa Teague from the University of Melbourne discovered a vulnerability that can be exploited in the wild using a FREAK attack.
The switch from the old magnetic stip card system which has been in use since 1991 until 2006 to the new paper-based electronic voting system with electronic counting reignited the electronic voting debate in Belgium.
A bug in the old type of voting machines disrupted the vote counting at the elections that took place in 2014.
The electronic voting system in Brazil is based on direct-recording electronic (DRE) voting machines without a voter verification paper audit trail (VVPAT) system. In 2009 a law was adopted mandating the implementation of a VVPAT system but in 2011 the Brazilian Supreme Court granted an injunction to suspend the implementation of the VVPAT system. This raises a significant trust issue, which is something that researchers reported but which was not seriously taken into account by the Brazilian Supreme Electoral Court (TSE).
Moreover, the source code of the software used by the voting machines is not public and it is difficult for potential auditors to be allowed any kind of access: “The TSE reserves final authority over the source code, so no outside authority certified the code used in 1996 or in subsequent elections. The electoral law mandates the TSE make the final source code available to political parties and, after 2003, the Bar Association (Ordem dos Advogados do Brasil or OAB), 120 days before the election. Activists and academics say that that the TSE failed to comply with this requirement for the 1996, 1998 and 2000 elections. After 2000, in the wake of heightened scrutiny of the system, the TSE began to allow outside Certification, Source Code Review and Testing actors to review the source code, but interviews with activists and congressional staffers indicate that only two parties – PDT and the Worker’s Party (Partido dos Trabalhadores or PT) – regularly participated in the audits. PDT typically has computer scientists affiliated with the party examine the code, while PT hires an outside company. The OAB expended considerable effort and money prior to the 2004 elections to audit the code by hiring an outside company and examining the software in various states, but has only conducted minimal auditing since 2004 due to costs and lack of internal capacity. There has been criticism of this auditing process by civil society groups and computer scientists. Computer scientists criticize the fact that auditors must sign a non-disclosure agreement and, consequently, any problems found during the audit are not made public. Auditors also point out that only a few days are given for auditing, and the examination of code occurs in very controlled conditions on the TSE’s computers, which is insufficient to comprehensively examine the code.” (Case Study Report on Brazil Electronic Voting: 1996 to Present, pages 245-246). Believe it or not, that's not even the worst of it. From the same report: “Academics and the OAB have also reported that there have been cases where the code has been modified after it was given to the parties, meaning parties did not audit the final version of the code. The TSE has argued the code needed to be modified for technical reasons, but has not fully explained the changes.” (page 246, paragraph 2).
Unfortunately, the problems don't stop here. The same report quoted above finds that the security researchers ostensibly allowed to review the system in 2009, were not even allowed access to the voting machine code, while the ones allowed to review the system in 2012 were allowed access to the voting machine code but only for 3 days, only from 4 computers and so little tool access that they could not even use the grep tool, which is an exceedingly basic tool for reviewing code. Finally, the contents of the voting machines are encrypted using a single 256bit AES key which is used for all machines and which is stored in the source code!
At the national level, there is an ongoing debate over the benefits of electronic voting. At the local level, various reports have already started to surface disputing the benefits of electronic voting.
One of those is the Recommendations Report to the Legislative Assembly of British Columbia of the Independent Panel on Internet Voting organized by Elections BC, the British Columbia regional electoral authority. In its conclusions, it is noted that the only real benefits are easier accessibility and convenience. Not even the much vaunted benefits of increased voter turnout or lower cost stand up to close scrutiny. These findings are similar to those of the Norwegian Internet voting trial which found that there was no relevant increase in voter turnout, and those of the UK electronic voting trials, where electronic counting ended up being considerably more expensive than manually counting the ballots. A reading of the executive summary and of chapter 5 (Perceived and actual challenges to implementing Internet voting) is recommended because the amount of information available is too large to accurately reproduce here.
Another interesting, and much more punctual, report is the Internet Voting for Persons with Disabilities - Security Assessment of Vendor Proposals from the City of Toronto. It analyzes the available voting machine systems on the market and makes the following recommendation: “Of the proposals evaluated in the context of the RFP process, it is our opinion that no proposal provides adequate protection against the risks inherent in internet voting. It is our recommendation, therefore, that the City not proceed with internet voting in the upcoming municipal election. If the City, contrary to this recommendation, remains committed to the use of internet voting, we advise that the system be limited to voters with disabilities, and not offered to the electorate at large.”
Because of the uniqueness of the Estonian electronic voting system, it deserves a closer look. The next article in this series will look into the problems of this system.
Finland ran an electronic voting trial in 2008 using DRE voting machines without VVPAT for the local elections in 3 cities. 232 voters encountered an usability flow resulting in their votes not being counted. As a result, the elections had to be repeated.
The report drafted by Effi (Electronic Frontier Finland), and linked to above, goes into more detail about the problems of the Finnish electronic voting trial and the problems were numerous and very similar to those encountered by security researchers in Brazil: Before the election took place, the authorities declined to provide information about the electronic voting system. When a security audit was organized, Effi was not allowed to participate and the Finnish company that was the system integrator required the participants to sign non-disclosure agreements that severely hampered their ability to publish their findings. A reading of the full report is, again, recommended.
Attempts to introduce electronic voting in France were met with stiff resistance. At the moment this article was being written, there was no noticeable ongoing debate over electronic voting in France.
DRE voting machines without VVPAT from the Dutch company Nedap have been used on a trial basis in Germany from 1999 until 2008. The Chaos Computer Club from Germany and the “Wij vertrouwen stemcomputers niet” group from the Netherlands analyzed voting machines very similar to the ones in use in Germany and managed to compromise their security in 2006. In 2009, the German Constitutional Court ruled these voting machines unconstitutional because of the lack of a paper audit trail, thus putting an end to electronic voting in Germany.