In 2015, more than 280,000 votes were received in the New South Wales election from a personal computer or mobile phone. This was the largest-ever binding election to use online voting.
But federally, the Joint Standing Committee on Electoral Matters has ruled out allowing Australians to cast their vote online, arguing it risks “catastrophically compromising our electoral integrity”.
Despite years of research, nobody knows how to provide evidence of an accurate result while keeping individual online votes private.
Internet voting is similar to online banking, except you’re not sent a receipt saying “this is how you voted” because then you could be coerced or bribed. Your vote should be private, even from the electoral commission.
There are three reasons why Australia shouldn’t move to an online voting system:
the system might not be secure;
the code might not be correct; and, most importantly,
if something goes wrong, we might never know.
The system might not be secure
Computer security researcher Alex Halderman and I (Vanessa) found a serious security vulnerability in the NSW iVote system during March 2015 election. This was caused by some code imported into the secure voting session from an insecure third-party server. It meant an internet-based attacker could have exposed e-votes, changed them, and circumvented iVote’s verification process.
The vulnerability was repaired, but by that stage, 66,000 votes were cast. Just 3,000 votes determined the result of a disputed seat in the Legislative Council. There is no evidence that the security hole was exploited, but also no evidence that it was not.
Some iVote returns differed notably from those cast by more secure channels. The ALP received about 30% of the votes on paper in the Legislative Council, for instance, but only 25% via iVote. The NSW Electoral Commission (NSWEC) blamed these differences on a user interface design problem, but it might also have been a software error or a security breach.
The code might not be correct
The main use of computers in Australian elections is for counting complicated elections like the Senate and the upper houses of state parliaments. We’ve had the opportunity to inspect some of the code and some of the data. We’ve also found some bugs – which is a good thing, because then they can be fixed.
The vote-counting code used in the ACT is available for scrutiny. The Logic and Computation Group at the ANU analysed the code in 2001, 2005 and 2012 and found three bugs. Luckily they could be corrected before they affected an election.
This wasn’t the case in the 2012 local government elections in Griffith, NSW. Last week, with Andrew Conway and others, we identified a software error leading to a mistake in the 2012 results computed by the NSW Electoral Commission. The software error incorrectly distributed preferences, which meant candidate Rina Mercuri lost a spot on the Griffith council. Without the error, she would have won with a probability of about 91%.
The Australian Electoral Commission very recently purchased a new “Senate counting solution” from the same vendor that made iVote. But the code is unavailable to Australian public scrutiny, despite a Freedom of Information request and a Senate motion ordering the commission to publish it. The code should be made public, and the paper ballots should be available for auditing.
We’d expect a similar rate of error for internet voting code as counting code, but iVote’s code is not available for review. More importantly, there’s no simple way for an outsider to double-check the process.
If something goes wrong, we might never know
With no official account of the iVote run, and no public independent report, we cannot tell whether votes were changed or lost in the 2015 NSW election.
iVote had a limited verification mechanism: voters could ring a special service, enter their receipt number and have their vote read back to them.
An attacker who changed the vote could change the receipt number too, so the voter couldn’t retrieve any vote from the verification service. But the same would happen if voters simply forgot their receipt numbers, or if votes were accidentally lost due to a software bug.
The NSWEC’s online response to our analysis claims:
Some 1.7% of electors who voted using iVote® also used the verification service and none identified any anomalies with their vote.
But there must have been people who telephoned the verification service, but couldn’t retrieve any vote at all. The real question is: of those who tried to verify, what fraction failed?
How electronic voting can work: in a polling place
Secure electronic voting is possible – in a polling place. One simple method to check the accuracy of the process is to print a plain paper ballot that a voter can read and check.
Another method is an “end-to-end verifiable” election system. We worked with the Victorian Electoral Commission to develop the the first such system to run at a state level anywhere in the world.
Under this system, voters cast their votes at polling places using a computer. The system provided evidence to each voter that their vote was recorded as they intended and properly included in the count. It also provided evidence to scrutineers that all the votes were properly processed, without revealing individual votes.
The processes allowed votes to be returned electronically from London with evidence that they were correct, rather than shipping the ballot papers.
Why was it restricted to a polling place? Partly because large-scale voter coercion and identity fraud are harder. Most importantly, because voters can get help to follow the complicated verification process.
Election commissions must produce verifiable evidence that the winning candidates were chosen fairly, based on reliable and secure vote-casting and correct vote-counting.
The lesson from the bugs in the ACT and NSWEC vote-counting code is clear: make the computer code available for public inspection so that we can scrutinise it for errors before the election.
Receiving votes from the internet is the easy part. Proving that you got the right result, while keeping votes private, is an unsolved problem.
This article was co-published with Election Watch.