Category Archives: voting

Trip report – Estonia on e-voting, transport and politics

Meeting the Mayor of Tallinn

Meeting the Mayor of Tallinn, Mr Savisaar

At the beginning of February I spent three days in Estonia at the invitation and expense of Mr Edgar Savisaar, the Centre Party Mayor of Tallinn (and Estonia’s first post-Soviet prime minister). My visit had three main aims:

  1. To present some public lectures on my views and experiences opposing electronic voting. Estonia is the only country in the world to allow all citizens to vote by Internet in their Parliamentary elections.
  2. To learn more about Tallinn’s new policy of free public transport for citizens, which had launched on 1st January 2013.
  3. To explore how Estonia does local government and what I could learn from that, to build fruitful links between our universities and partners to support future investment and EU funding bids.

I spent most of the first day with Mr Savisaar including a formal lunch reception with a range of MPs, council officials and academics. Most of them shared deep concerns about the country’s internet voting system. This concern is a minority view in Estonia, especially in the Parliament. I have not had the opportunity to study the Estonian system in detail so cannot comment on specifics, but my friend and fellow e-voting campaigner Barbara Simons has posted her critical thoughts following her own visit and analysis of other reports.

My long held view against e-voting can be summarised as that the very significant risks introduced by the technology are not worth it, and the huge costs do not justify increasing electoral risks, as there are no other obvious benefits. Like the rest of Europe, Estonia has had to trim its national spending, so I found many Estonians agreeing that there were other priorities the money invested in e-voting could be better spent on.

Giving a lecture on e-voting in Tallinn

Giving a lecture on e-voting in Tallinn

Following meetings with officials detailing my experiences as ORG’s e-voting campaigns coordinator, plus sharing some ideas and contacts on how to further the Estonian campaign against e-voting, we went on to my first public lecture. This very well attended event was live translated into Estonian and Russian (there is a significant Russian-speaking population) and was recorded for a local TV station. You can see clips of the event and a follow-up interview here. Footage of the meeting earlier in the day is here and here. (I don’t know if the full video of my lecture will be released online, but it was an evolution of my 2007 presentation of ORG’s election observation which can be watched here)

The next day I had an early morning meeting with Ivar Tallo, a former MP and e-government lecturer, who is a well known supporter of Estonia’s e-voting. We had a good conversation but didn’t settle our differences for and against e-voting! Then with Priit Toobal MP, one of Mr Savisaar’s assistants and a translator we went on a small tour of the country visiting Paide city (right in the centre of the country) and Parnu (a popular coastal summer resort town). I met MPs and councillors in each place whilst also presenting a shorter version of my e-voting lecture.

All the meetings and conservations gave me some interesting insights into Estonia’s advanced e-government infrastructure, the development challenges as population is drawn inexorably towards the capital city of Tallinn along with views and experiences of Tallinn’s free public transport. I learnt from Vice-Mayor Taavi Aas that in January bus usage had jumped about 15% whilst traffic at key central junctions in Tallinn had dropped 20%. Early days yet, but interesting. I also completely ran out of brochures for the Universities of Sussex and Brighton.

With Taavi Aas, Vice-Mayor of Tallinn responsible for transport

With Taavi Aas, Vice-Mayor of Tallinn responsible for transport

I doubt many use it, but I was impressed that the Estonian infrastructure allows citizens to see who (in and out of government) has accessed their identity information with a full log and lets citizens control who can view their online medical data. Citizen-centric data management seems to be an important step towards our digital future. I would urge more investment there than in online voting methods!

I was also interested to learn that local government in Estonia is primarily funded by a share of income tax. So every 1,000 people moving into Tallinn bring in an addition €1m/year from that share. There is also some form of land value tax in use too. Compared to the broken taxation system councils in England depend on, a local share of income tax looks very simple and clear to understand indeed!

On the final day, before leaving, I had a chance to explore the streets of Tallinn a bit more. It’s a small city centre with a fascinating history involving Swedes, Germans, Russians and Dutch colonialism. Also lots of free wifi which doesn’t require frustrating registration forms, just a simple ‘I agree to T&Cs’ button to get going.

Of course one can never fully understand all the nuances in a short visit. But Brighton & Hove has now established some strong links with Tallinn and Estonia for our universities and councils to pursue. We are already looking at some joint EU bids between our councils. Meanwhile the campaign against e-voting continues.

I’d like to thank everyone who helped make my visit go so smoothly including Mr Edgar Savisaar, his assistants especially Oksana Jalakas, Priit Toobal MP, Kadri Simson MP, Taavi Aas, Allan Alaküla, Elena Sapp and many more.

View on part of Tallinn’s Old Town

UK’s central database of electors cancelled

The Cabinet Office today announced what has been pretty obvious for some years. The Co-ordinated Online Record of Electors (CORE) project is dead.

In some respects this project, previously known as LASER, was a classic government centralised database nightmare. At one point its business case depended on sales to marketing companies, but a legal challenge put an end to that (see for example page iv of this PDF), resulting in a complete rethink.

The risk of an online central database was not just of our privacy and error, but that this would become a convenient starting point for the slippery slope to online voting or an ID cards database.

On the positive side some of the work necessary would improve and standardise electoral registers across the country, potentially helping to reduce fraud and error – particularly multiple registrations and failure to notify when moving.

In my view the risks and costs outweighed the benefits. But even with CORE confirmed dead, we should still aim to standardise and improve the UK’s electoral registers, including through the use of Election Markup Language.

OSCE flag concerns with Estonian e-voting system

Emilis Dambauskas writes:

I have noticed that OSCE published final assessment report for Estonian Parliamentary Elections that happened on 6th March 2011:

http://www.osce.org/odihr/elections/estonia/75382

Executive summary states:

Voters could cast their ballots via the Internet during the advance  voting period from 24 February to 2 March. Despite concerns raised by some interlocutors, the OSCE/ODIHR EAM in general found widespread trust in the conduct of the Internet voting by the National Electoral Committee (NEC). However, there is scope for further improvement of the legal framework, oversight and accountability, and some technical aspects of the Internet voting system.

However there are some details which make the situation smell strangely:

(page 11): During the counting, one vote was determined invalid by the vote counting application since it was cast for a candidate who was not on the list in the corresponding constituency. The project manager could not explain how this occurred – the investigation was still ongoing at the time of issuing the report.

A student demonstrated that the client-side voting application “was flawed and could make it possible for a virus to block a vote without the voter knowing that any interference had occurred”:
http://news.err.ee/Politics/bbb598aa-586b-4981-9f7e-88273b5a25c0

The report mentions various other questionable practices by the i-voting vendor (called “project manager”). I want to re-read the report, but it seems like Estonians may have privatized their elections…

Indeed privatisation is another reason to resist the introduction of e-voting, as it is much harder to scrutinise the processes and systems used. Another quote from the report rings alarm bells for me:

The vendor, Cybernetica AS, handed over the internet voting software to the NEC in December 2010. The OSCE/ODIHR [election monitoring mission] was informed that the [privately contracted] project manager was able to update the software of the Internet voting system until right before the elections started, and without a formal consent of the NEC. This was done without any formal procedure or documented acceptance of the software source code by the NEC, which limited the information on which version of the software was ultimately used.

More concerns:

As in previous elections, and despite the recommendation made by the OSCE/ODIHR in 2007, the time of casting a vote was recorded in a log file by the vote storage server along with the personal identification code of the voter. This could potentially allow checking whether the voter re-cast his/her Internet vote, thus circumventing the safeguards in place to protect the freedom of the vote.

The project manager accessed the servers for daily data maintenance and backup breaking the security seals and using a data storage medium employed also for other purposes. This practice could potentially have admitted the undetected intrusion of viruses and malicious software.

There were also weak disaster recovery processes in place and source code for the client application (only) could only be inspected after signing a non-disclosure agreement. In other words highly unsatisfactory and if anyone seriously challenged  the results it would be nigh on impossible for the Estonian election commission to prove that no tampering had occurred.

Read the full OSCE report [PDF]

Technology is fallible – Questions over Estonia’s e-voting

Just as the terrible problems with the nuclear power stations in Japan are showing us, technology is fallible. That’s a fact, so we must choose carefully where we apply technology, in the full knowledge that it will go wrong at some point. In my view the risks outweigh the potential positives in numerous applications of technology, including electronic voting. The expense of these systems along with the risk that an election result can be tampered with, or appear to be altered, without a verifiable way of proving either what has happened, are too great a risk for any democracy.

This was highlighted a few weeks ago when serious problems emerged with Estonia’s electronic voting system, which I have questioned previously. Reports mention an e-voting supplier being fined for problems with the system and questions over the results as a student identifies a flaw in the system.

The ‘father’ of Estonia’s e-voting system, admitting it was imperfect, sprang to its defence. The Estonian supreme court rejected the student’s challenge to the results on the basis that the flaws were hypothetical and hadn’t been proven to have been used.

This is exactly the kind of doubt and questioning in an election’s legitimacy that e-voting problems enable. A costly exercise in reducing people’s faith in their electoral system.

Paper Vote Canada has more on this story.

London confirms choice to use e-counting again

Given the signs, I’m not hugely surprised that London Elects have decided to go with e-counting again for 2010. It’s only likely to cost the taxpayer about £1.5 million more than doing it manually… and that doesn’t seem to bother Boris, but it bothers me. The DRS release claims that, if the GLA agree to use them in 2016 too, then they will be £0.2m cheaper per election than manual counting. But based on my review of the GLA figures for manual counting, they were seriously inflated to make e-counting look more attractive (and the Electoral Commission concurred). So I challenge DRS’ claim to cost-effectiveness.

As is often the case, rather than recognising the fundamental difficulties with e-counting (or e-voting), the GLA have decided that last time’s problems were because of the supplier they chose. So they’ve dumped Indra for a joint venture between DRS Data Services and Electoral Reform Services. (Disclosure: I’m a member of the Electoral Reform Society who own Electoral Reform Services.)

These were the same two suppliers involved in running the last Scottish Parliamentary elections, which also experienced significant problems as observed by ORG. Given his background and the sensitivity of these contracts, it is interesting that Lord (Neil) Kinnock remains on the board of DRS.

ORG will be planning to observe these elections once again. I hope they are trouble-free and improve on the experience in 2008. We’ll be watching!

Full announcement on the DRS website

Links 9-8-10

  • Some super slides (well worth reviewing in full, links below) from leading computer security experts presented at the US National Institute of Standards and Technology’s workshop in Washington DC on however overseas citizens should vote. Choice quotes below. (via Ian Brown and FIPR)

Prof. David Wagner (UC Berkeley):
http://csrc.nist.gov/groups/ST/UOCAVA/2010/Presentations/WAGNER_UOCAVA2010.pdf

It is not technologically feasible today to make Internet voting safe against attack.
Operating an Internet voting system safely requires expertise and money way beyond what election officials are likely to have.
There is no known way to audit Internet voting. UOCAVA votes might fall “under a cloud of suspicion.”

Prof. Ron Rivest (MIT):
http://csrc.nist.gov/groups/ST/UOCAVA/2010/Presentations/RIVEST_2010-08-05-uocava.pdf

Remote voting is trade-off between franchise and risk
The risks of “internet voting” more than negate any possible benefits from an increase in franchise
Unsupervised remote voting vulnerable to vote-selling, bribery, and coercion.
We may view internet voting as voting on a contraption consisting of a collection of [...] puzzle boxes, all connected by untraceable wires to every possible adversary on the planet.

We do not currently have the technology to make internet voting secure (and may never).
We can’t make such technology appear by wishful thinking, just trying hard, making analogies with other fields, or running pilots.
It is imprudent (irresponsible?) to assume that determined effort by adversaries can’t defeat security objectives of internet voting.
“What are best practices for internet voting?” to me sounds like “Pleash jush help me inshert the key in the lock, (hic), and I’ll be on my way…”

Answering eDemocracyBlog’s case in favour of e-voting

eDemocracyBlog has recently put forward some arguments in favour of e-voting in response to the Hansard Society’s debate on the subject.

The blog’s author (whom I can’t identify) takes issue with a number of my views which I aim to defend here.

I tend to argue from first principles which requirements any electoral system should meet. These are that elections should be secure, verifiable and anonymous. eDemocracyBlog argues that because not all existing electoral systems, such as postal voting, meets these then my views on e-voting are flawed. I don’t agree at all.

I did actually mention at the Hansard event my concerns about postal voting. But when asked to debate e-voting I focussed on the challenges there, that isn’t to say that existing electoral arrangements are perfect — they aren’t. But just because that is the case in no way makes the case for e-voting. It just further re-inforces our need to focus on fixing the current setup.

The eDemocracyBlog writes:


Related to the security point was Kitcat’s comment that delivering PINs to anyone wanting to vote electronically would create a further threat to security. Yet banks generally seem able to handle the process.

Kitcat also said eVoting could enable “ballot stuffing on a massive scale” which the need to photocopy and complete postal ballots makes more difficult. But for a would-be fraudster it should be far harder to get hold of a large number of PINs than it is to get hold of a blank ballot paper and photocopy it.

Banking is a completely different process to voting: It isn’t anonymous, it’s easy to verify because you receive monthly statements and losses are just a cost of doing business – not the outcome of a binding political election where the stakes are much higher.

eDemocracyBlog is apparently unaware that paper ballots have security marks such as stamps, or watermarks which means you cannot photocopy them. This is why fraudsters try to collect postal ballots, because they can’t produce fresh ballots themselves.

Any smart hacker isn’t going to try to break the system by intercepting PINs (for example) in the postal system. They will crack the computer systems centrally and manipulate the authorisation credentials there or just directly manipulate the results. It’s much easier to change the result on one central computer then thousands of postal ballots, for example. We’ve seen electronic voting results cast in serious doubt in the US, Canada, Japan and many more countries.

eDemocracyBlog continues:

As for the possibility of somehow hacking into the system and creating false voting records, it may be possible that details of voters can be held separately from the details of votes, and then matched again during the counting process with each voter told how their vote was registered so that they can report if it was changed without their permission.

If such a process was enabled the vote would no longer be secret, breaching the Human Rights Act (plus our European and UN human rights committments). This would leave people open to abuse, intimidation and family voting. This is not theoretical – it happens with postal voting.

I think Andy Williamson made a telling point that wasn’t rebutted when he noted that banks manage to verify cash machine transactions without ever knowing the cardholder’s PIN.

As I understand it they don’t verify the transactions. They just verify the cardholder details via the PIN. So it’s not the same and it’s very much not anonymous (wave to the camera in the ATM!)

It is also worth pointing out that the current paper-based balloting system is not anonymous either, so again this would seem to be a case of making demands of eVoting which are not equally applied to the existing system.

Only in the UK is our paper voting system not anonymous. In all other modern democracies it is. And citizens of those countries are appalled when they hear of our antiquated system which is a holdover of the Australian system from the 1860s. The Australians switched to anonymous votes before we even adopted the secret (but numbered) paper ballot here in the UK.

Another question is whether any system can be both anonymous and verifiable anyway? If it is genuinely anonymous then who is to tell whether any ballot was cast by a legitimate voter rather than, say, dumped into the ballot box by a corrupt council employee before it is sealed?

Ah, it seems eDemocracyBlog is beginning to come to terms with the difficulty of the problem. It is very difficult to build a digital system which is anonymous and verifiable – in fact I believe it’s not possible with current technology. With paper it is possible, if the paper has security marks so you can trust its source and prevent ballot stuffing.

eDemocracyBlog then goes on to attack the Electoral Commission for failing to set up a certification process for e-voting systems. But it would be up to the Government to empower the Commission to do such a thing, and to provide funds for it to be conducted. It’s my view that certification, while necessary if technology is to be used, doesn’t resolve many of the serious problems with e-voting.

Later on the Commission are again criticised by eDemocracyBlog for failing to develop a strategy for voting modernisation. But this is not a task for the Commission – it is for government to set out their view, try to pass legislation and consult the Commission on the approach.

People do not need to know how something works, or even be entirely confident in its security and privacy policies, in order to use it in their millions. I could perhaps mention Facebook at this point.

This was the same argument made by VoteHere’s Jim Adler against me in the Oxford Union debate on e-voting. Jim argued that people don’t need to understand how a plane works to fly in it. But this misses the fundamental point. With a plane, or Facebook, the results are self-evident. You fly to your destination or your post on someone’s profile appears. With a vote, because it is secret, how do you know it was accurately counted as you intended?

With paper and a public count you are fairly certain, thanks to the known properties of pen and paper, that the outcome will be valid. With an e-vote you can’t have the same confidence.

eDemocracyBlog continues defending e-voting by suggesting the costs will be lower when used on a greater scale than for just the pilots. No doubt, there were one-off costs for the pilots. However I know that several of the providers swallowed significant losses for the pilots just so that they could stay in the market, hoping to win a juicy national contract.

Furthermore the contracts were agreed centrally by the government, not by councils as eDemocracyBlog suggests. So, especially when suppliers provided for several areas, there could have been economies. £58m for weekend voting across our country would be a fraction of the costs e-voting would involve.

There is no need for e-voting to happen. Certainly in the current times of tight budgets, e-voting is extremely unlikely to happen. However I’m sure that it won’t be too long before the spectre arises once more, just because people seem to like the idea of applying technology to everything they can. Thankfully more and more people are becoming aware of the great risks e-voting presents for very limited benefits.

Why can’t I vote at my ATM? Hansard Society Debate

This evening the Hansard Society hosted a panel debate in Portcullis House, Westminster with the title “Why can’t I vote at my ATM? – the practicalities of the ballot box.

I along with Electoral Commission Chair, Jenny Watson and Tom Watson Harris MP made up the panel. The audience was filled with a wide variety of interesting people including current and former Electoral Commission staff, civil servants, Lords and activists.

While we didn’t all agree on the reasoning, there was a fairly general consensus that electronic voting shouldn’t be pursued at the moment. There was lots of interesting debate on issues of access and turnout. I hope the society will put online a podcast or summary of the event in some form. I post below my opening speech for the event.

——–

Thank you for inviting me here to participate this evening.

I come to this issue as a programmer, as someone who has observed elections for the Open Rights Group and who, as a local councillor, has had a very personal interest in elections.

As an observer the ultimate compliment one can pay an election is to say that it was ‘free and fair’.

What does an election process need to do to be considered free and fair?

There are three key properties that ALL must be met. An election must be:

  • Secure
  • Verifiable
  • Anonymous

By secure we mean that the results cannot be changed, that only those entitled to vote actually do so and people can only vote one time.

Verifiable means that candidates, agents, observers and voters can check the result and have confidence that the result reflects the will of the people. Voters need to be sure that their intention was accurately recorded and counted.

Finally to prevent coercion, vote selling and bribery voters absolutely need to be secure in the knowledge that their vote is secret and that people cannot know how they voted. I am aware that the UK currently doesn’t have a completely secret ballot, we should, but that’s a debate for another day.

  • Secure
  • Verifiable
  • Anonymous

A properly run paper-based election can meet those three requirements.

However with current technology electronic voting cannot meet those three principles. It just isn’t technically possible to have an electronic system which is secure and anonymous whilst also being verifiable.

When the Open Rights Group observed electronic elections in the UK we were unable to declare confidence in the results, because we just couldn’t properly verify the counts at all, it was hidden behind the technology.

Online banking is a completely different problem, the transactions are not secret, we can see them in our statements and merchants collect lots of personal information about us to push through their anti-fraud systems. Technology is great for so many things, but not voting.

If you’ve heard the complaints from the music and movie industries over recent years, then you’ll know that computers are good at copying. With electronic voting we risk undetectable ballot stuffing on a massive scale.

Currently the very nature of paper – that you need a vehicle to move around lots of it, that it’s logistically challenging to deal with thousands of ballots – limits fraud and increases the chance of fraudsters being caught. With electronic votes the fraud can happen in a computer, where none of us can see inside, with millions of votes changed or copied whilst controlled by someone on the other side of the world.

I’ll save more details of the technical problems with electronic voting and counting for the questions, if people are interested. But there is a broad consensus in the computing world that these technologies should not be used. The Association for Computing Machinery and the British Computer Society as well as scores of academics have voiced their opposition. So far e-voting has been cancelled in Ireland, Netherlands, Germany, Italy and the province of Quebec. There have been serious problems found with e-voting systems in India, Japan, France, Belgium and of course the United States.

I might add that these systems are hugely expensive, costing many times more than traditional paper-based elections. In a 2003 e-voting trial in Sheffield, for example, the cost was £70 per e-vote cast versus £1 per paper vote. And on average turnout still declined during the UK’s electronic voting pilots between 2000 and 2007.

On turnout, we need to be very careful. Much of the over £50 million spent on UK pilots in the last 10 years was based on blind faith that online voting would boost turnout. It didn’t, simply because ease of voting is not the main factor for why people don’t vote. Indeed there are studies showing that people who live furthest from their polling station are most likely to vote!

People choose not to vote because they feel all politicians are the same, that their vote doesn’t count or they don’t know enough about the issues to vote. That’s a challenge for the political system to address, one which electoral reform could help with as there’s data clearly showing higher turnouts in countries with fairer electoral systems.

That being said, politics aside, what should we do about our electoral processes? We absolutely and urgently need individual voter registration and that could be tied in with an online electoral roll. That’s a place where technology could help voters, election administrators and party activists.

We need to clamp down on postal voting, it’s the source of most allegations of fraud. It will need to still be available, but in a much more controlled and secure manner.

We need to review polling day. I know the Electoral Commission have done quite a bit of interesting work on this. Moving elections to the weekends, perhaps all weekend, is one option but the consultation responses to this were, I understand, rather mixed. What we could do is declare a public holiday on election day, we could also consider offering, before polling day, early voting in town halls.

Finally, I think counts need to stay open, be manual, paper based and easily scrutinised. It’s only by watching piles of ballots add up, by observing them being sorted and checked, that we can have confidence in the result. What could help would be more standardised procedures for the counts. This would assist with training of all involved – at the moment every count across the country can be done in a different way. Let’s not stamp out local innovation, but let’s make sure there are minimum standards so we can have confidence in a modern, paper-based electoral system.

In closing, I believe electronic voting & counting are not the way forward, let’s update our existing electoral system whilst keeping it secure, verifiable and anonymous. The real challenge for engagement and turnout lies with our political culture and the fairness of our voting systems, not election administration.

India’s e-voting machines cracked

Rop Gonggrijp is someone always worth keeping an eye on. He was instrumental in revealing the problems with the Nedap voting machines used in Ireland and the Netherlands.

How he’s part of a team who have publicly demonstrated serious security flaws with India’s electronic voting machines. Time and time again India has been cited as a good example – but the reality was their systems lacked independent scrutiny. Now that expert scrutiny has been brought to bear, problems have been found.

How many more countries have to make the expensive mistake of rolling out e-voting before we all learn that computers and voting are just not well suited for each other.

Read more, and watch the great video at http://www.indiaevm.org

Rop’s post explaining some of the back story

VeTA - a new group campaigning against India’s e-voting, welcome!

(via Ed Felten’s Freedom to Tinker)

Upcoming events in Brighton & Cambridge

Two events coming up soon which will be of interest to digital rights type people:

  • Debating the Digital Economy Act Thur 29th April
    I’ll be one of the contributors at this debate, organised by Wired Sussex here in Brighton.
  • Internet Voting: Threat or Menace Tue 27th April
    Jeremy Epstein from SRI International is over in the UK and will be giving a talk at Cambridge Uni’s Computer Lab Security Seminar series. I did one of these a few years ago and it was highly enjoyable – the audience were engaged and very generous with their interest.