Up to 250,000 votes are expected to be cast using the iVote electronic voting system between March 16 and the close of polls on March 28 in the New South Wales election.
That would represent a massive increase on the 46,864 votes at the 2011 state election and could mean about 5% of the total vote is cast electronically, using a telephone or via the internet. It looks set to be by far the biggest test of electronic voting in Australia, which has largely been limited to small trials in the past, and one of the largest online votes worldwide.
If the NSW election proves to be close, those electronic votes could prove crucial. But before electronic voting begins on Monday, people in NSW should be warned: there are many unanswered questions about the integrity and privacy of those votes.
Protecting voter integrity
Late last year, the federal Joint Standing Committee on Electoral Matters recommended against electronic voting in federal elections. Its report concluded that:
Australia is not in a position to introduce any large-scale system of electronic voting in the near future without catastrophically compromising our electoral integrity.
So what are some of the potential threats? Software errors, hackers, misbehaving system administrators, malware or other unobservable problems could all potentially cause electronic votes to be misrecorded, modified or exposed.
The NSW Electoral Commission responded to such concerns by releasing a 102-page iVote Security Implementation Statement at the end of last week.
But its statement still doesn’t answer many of the concerns I have been raising with the commission for more than a year – particularly over vote privacy and verifiable election integrity.
For example, Norway’s online voting system, implemented by iVote’s provider Scytl, was discontinued last year after a software bug caused votes to be only very weakly hidden from election officials (see page 8 of this report).
The fundamental problem for NSW voters is this: you can’t tell what a computer is really doing to its electronic data just by looking at the screen.
Concerns about the NSW system
iVote is available to anyone who meets broad eligibility criteria, including:
- I have a disability … and because of that disability I have difficulty voting at a polling place or I am unable to vote without assistance
- I will not be in NSW throughout the hours of polling on election day.
The 2011 version of iVote misrecorded 43 votes, which appeared with the letter ‘N’ in the box(es) where preference numbers are supposed to go.
The NSW Electoral Commission is right to try to provide an independent and private voting option for voters with disabilities. However, it’s not helpful for those voters if their vote can’t be counted because of bugs in the system, like that ‘N’ ballot problem.
And iVote wasn’t actually adopted by many voters who couldn’t use paper ballots: in 2011, fewer than 2000 iVote users (less than 5%) had a disability.
More than 90% of iVote users simply declared that they would be out of the state on polling day - a group of people with much more secure voting options, including pre-poll and postal voting.
So will a revamped design for the 2015 election and a new vendor (Everyone Counts has been replaced with Scytl) resolve the fundamental questions over vote privacy and electoral integrity?
The NSW Electoral Commission certainly thinks so, recently saying:
People’s vote is completely secret. It’s fully encrypted and safeguarded, it can’t be tampered with, and for the first time people can actually after they’ve voted go into the system and check to see how they voted just to make sure everything was as they intended.
So let’s consider those two key claims: vote privacy and the impossibility of tampering.
Protecting privacy
In response to concerns over the total lack of verifiability in the 2011 iVote run, a “Verification Service” has been introduced for the 2015 election.
Votes will be sent in encrypted, or hidden, form to a “Verification Service” run by the Australian Centre for Advanced Computing and Communications, known as AC3. Voters can telephone AC3, enter their 12-digit Receipt Number, and check the decrypted vote it reads back to them.
But that still leaves crucial privacy questions unanswered, including:
- What if someone bullies a voter into calling the system to reveal how they voted?
- What if someone with (legal or illegal) access to AC3 observes the decrypted vote, and the caller ID of whoever called to “verify” it?
- What if the “Verification Service” misreads the vote, in a way that matches a misrecording by the voting client?
- 12 digits isn’t long enough to secure modern encryption, so exactly what extra measures are in place to keep votes private?
Checking for undetectable vote tampering
Now let’s consider vote tampering after voters call in to “verify”.
We’re told there will be a “Vote Auditor” who will reconcile the “Verified” votes with those passed from the main voting system into the count.
But even after reading the iVote Security Implementation Statement, a number of issues are still unclear, including:
- Who is the “Vote Auditor” this year?
- Exactly what data will they see?
- Why should candidate-appointed scrutineers, who usually have the chance to observe paper-based processes directly, trust one appointed “Vote Auditor” to act for them all?
- How do we know that the audit process detects all forms of manipulation?
- All the privacy questions that applied to the “Verification Service” apply to the auditor too.
These questions are particularly difficult to answer because no source code is publicly available.
Political parties and candidates have until March 16 to nominate a scrutineer to attend the iVote Decryption Verification Ceremony. Yet it’s unclear how those scrutineers will be able to do their job properly; with electronic votes, the scrutineers will have to take it on trust that all the data they can see on a screen has not been affected by unseen malware, software errors, hackers or other problems.
Where electronic voting can work – and where it doesn’t
Polling-place electronic voting can give the voter a real chance to verify that their vote is cast as they intended in the privacy of the booth. Good systems also provide some meaningful evidence to voters or scrutineers that the votes are properly included in an accurate count.
In Tasmania and Western Australia, voters with disabilities complete their ballot using a computer in a polling place, then print it out, check it carefully and put it in an ordinary ballot box.
I did a lot of work on the Victorian Electoral Commissions’s 2014 project to implement open-source end-to-end verifiable polling place e-voting.
So to be clear, not all electronic voting is too risky; polling place-based electronic voting with a voter-verifiable paper record can provide proper peace of mind for voters and political candidates alike.
But as yet, no remote telephone or internet voting system in Australia or overseas truly provides reliable, usable, verifiable and private voting.
As the director of the University of Michigan’s Centre for Computer Security and Society, Alex Halderman, said to me recently:
Internet voting sounds like a good idea, but it raises some of the most difficult security problems in the world today. My team studied real internet voting systems used in the US and around the world, and we found that online criminals, dishonest officials, or even state-sponsored hackers could hack in and change election results. The stakes couldn’t be higher.
That’s why, if you want to be sure your vote counts in the NSW election, I recommend you stick with an old-fashioned paper ballot.
* Vanessa Teague is involved with hosting the University of Michigan’s Alex Halderman, who is giving a free public lecture in Melbourne on March 18 and in Canberra on March 23 on Internet Voting and Cybersecurity: What Could Go Wrong?