Tag Archives: elections

Update on Independent report on Estonia’s e-voting

On Saturday 10th May we (the Independent Team) informed key stakeholders in Estonia that we would be reporting our findings the coming Monday. We contacted the Estonian Elections Committee, other officials and agencies as well as media. We did this impartially and openly to avoid being seen to favour any one political party or media source.

Late on Sunday 11th May we launched our website summarising the findings and supporting them with photos and videos.

On Monday 12th May we held a press conference – to which there had been an open invitation – to present our findings and answer questions from anyone who wanted to. That day a first response to our work was posted by the Estonian Electronic Voting Committee’s Facebook page, to which we responded.

On Tuesday 13th May we met privately with members of the Estonian Electronic Voting Committee (which is part of the overall Elections Committee).  There we talked through our findings and shared technical details of issues and vulnerabilities that will not be published until the current elections are over. We also assured them that we would not publish any demonstration code until after the election, and would not interact with the live voting system if they chose to proceed with using it for the European Parliamentary elections. They confirmed they would proceed with using their system. I was particularly surprised when the Electronic Voting Committee members said they could think of no circumstances in which they wouldn’t proceed with using their system.

The same day the Elections Committee published a lengthy response to The Guardian’s reporting of our findings. We responded in full here.

Since Monday we have had significant interest from a range of people in Estonia’s tech industry who we have met or corresponded with. We have also seen local and international media reporting on our findings.

Sadly, despite repeated requests, we have not been able to meet with representatives of the Estonian government nor the key Parliamentary committees with oversight on these issues. The Estonian Prime Minister and President have used the media (and social media) to dismiss our work and suggest we are working to favour one political party over another in Estonia. That simply isn’t true, such a response would appear to be a case of trying to shoot the messenger rather than hear some uncomfortable truths.

On Saturday 17th May we published the detailed technical analysis report to expand on and support the findings we had published a week earlier. The paper has also been submitted to an academic conference.

I have been pleased to see such widespread discussion of our findings. However some have sought to shut down the debate by seeking to query our independence and integrity. These claims have no truth and team members have a strong record of examining the security of e-voting systems around the world without any fear or favour for political parties of any type.

Some have suggested that Estonia is uniquely able to deliver secure online voting because of their universal ID smartcards and cyberwar protections. They would argue that no other country than Estonia has the infrastructure to use online voting. Whilst I agree that Estonia has a highly developed online infrastructure, which is incredibly exciting for e-government applications, even that isn’t enough for the uniquely difficult problem of online voting.

The debate is for Estonian citizens to have now with input from the EU and NATO where they have obligations as a member-state. If I was an Estonian I would be voting on paper but happily making use of their online services for tax, health and more.

Estonia and the risks of internet voting

Originally posted on the Open Rights Group Blog.

In my capacity as an ORG Advisory Council member I’ve been working with an independent team of election observers researching the Internet voting systems used by Estonia. Why should anyone in the UK be interested in this?

Two reasons: Firstly Estonia is regularly held up as a model of e-government and e-voting that many countries, including the UK, wish to emulate. Secondly, after years of e-voting being off the UK agenda (thanks in part to ORG’s previous work in this area), the chair of the Electoral Commission recently put the idea of e-voting for British elections back in play.

Before our or any other government leaps to copy the Estonian model, our team wanted to better understand the strengths and weaknesses of the Estonian system. So several of us monitored the internet voting in operation for Estonia’s October 2013 municipal elections as official observers accredited the Estonian National Election Committee. Subsequently the team used the openly published source code and procedures for the Estonian system to build a replica in a lab environment at the University of Michigan. This enabled detailed analysis and research to be undertaken on the replica of the real system.

Despite being built on their impressive national ID smartcard infrastructure, we were able to find very significant flaws in the Estonian internet voting system, which they call “I-voting”. There were several serious problems identified:

Obsolete threat model

The Estonian system uses a security architecture that may have been adequate when the system was introduced a decade ago, but it is now dangerously out of date. Since the time the system was designed, state-level cyberattacks have become a very real threat. Recent attacks by China against U.S. companies, by the U.S. against Iran, and by the U.K. against European telecoms demonstrate the proliferation and sophistication of state-level attackers. Estonia itself suffered massive denial-of-service attacks in 2007 attributed to Russia.

Estonia’s system places extreme trust in election servers and voters’ computers — all easy targets for a foreign power. The report demonstrates multiple ways that today’s state-level attackers could exploit the Estonian system to change votes, compromise the secret ballot, disrupt elections, or cast doubt on the fairness of results.

Abundant lapses in operational security and procedures

Observation of the way the I-voting system was operated by election staff highlighted a lack of adequate procedures for both daily operations and handling anomalies. This creates opportunities for attacks and errors to occur and makes it difficult for auditors to determine whether correct actions were taken.

Close inspection of videos published by election officials reveals numerous lapses in the most basic security practices. They appear to show the workers downloading essential software over unsecured Internet connections, typing secret passwords and PINs in full view of the camera, and preparing election software for distribution to the public on insecure personal computers, among other examples. These actions indicate a dangerously inadequate level of professionalism in security administration that leaves the whole system open to attack and manipulation.

Serious vulnerabilities demonstrated

The authors reproduced the e-voting system in their laboratory using the published source code and client software. They then attempted to attack it, playing the role of a foreign power (or a well resourced candidate willing to pay a criminal organization to ensure they win). The team found that the Estonian I-voting system is vulnerable to a range of attacks that could undetectably alter election results. They constructed detailed demonstration attacks for two such examples:

Server-side attacks: Malware that rigs the vote count

The e-voting system places complete trust in the server that counts the votes at the end of the election process. Votes are decrypted and counted entirely within the unobservable “black box” of the counting server. This creates an opportunity for an attacker who compromises this server to modify the results of the vote counting.

The researchers demonstrated that they can infect the counting server with vote-stealing malware. In this attack, a state-level attacker or a dishonest election official inserts a stealthy form of infectious code onto a computer used in the pre-election setup process. The infection spreads via software DVDs used to install the operating systems on all the election servers. This code ensures that the basic checks used to ensure the integrity of the software would still appear to pass, despite the software having been modified. The attack’s modifications would replace the results of the vote decryption process with the attacker’s preferred set of votes, thus silently changing the results of the election to their preferred outcome.

Client-side attacks: A bot that overwrites your vote

Client-side attacks have been proposed in the past, but the team found that constructing fully functional client-side attacks is alarmingly straightforward. Although Estonia uses many security safeguards — including encrypted web sites, security chips in national ID cards, and smartphone-based vote confirmation — all of these checks can be bypassed by a realistic attacker.

A voter’s home or work computer is attacked by infecting it with malware, as millions of computers are every year. This malicious software could be delivered by pre-existing infections (botnets) or by compromising the voting client before it is downloaded by voters by exploiting operational security lapses. The attacker’s  software would be able to observe a citizen voting then could silently steal the PIN codes required to use the voter’s ID card. The next time the citizen inserts the ID card — say, to access their bank account — the malware can use the stolen PINs to cast a replacement vote for the attacker’s preferred candidate. This attack could be replicated across tens of thousands of computers. Preparation could being well in advance of the election starting by using a replica of the I-voting system, as the team did for their tests.

Insufficient transparency to establish trust in election outcomes

Despite positive gestures towards transparency — such as releasing portions of the software as open source and posting many hours of videos documenting the configuration and tabulation steps — Estonia’s system fails to provide compelling proof that election outcomes are correct. Critical steps occur off camera, and potentially vulnerable portions of the software are not available for public inspection. (Though making source code openly available is not sufficient to protect the software from flaws and attacks.) Many potential vulnerabilities and forms of attack would be impossible to detect based on the information provided to the public. So while the researchers applaud attempts at transparency, ultimately too much of how the I-voting system operates is invisible for it to be able to convince skeptical voters or candidates in the outcomes.

To illustrate this point, the team filmed themselves carrying out exactly the same procedural steps that real election officials show innearly 24 hours of videos from the 2013 elections. However, due to the presence of malware injected by the team before the recordings started, their count produces a dishonest result.

Recommendation: E-voting should be withdrawn

After studying other e-voting systems around the world, the team was particularly alarmed by the Estonian I-voting system. It has serious design weaknesses that are exacerbated by weak operational management. It has been built on assumptions which are outdated and do not reflect the contemporary reality of state-level attacks and sophisticated cybercrime. These problems stem from fundamental architectural problems that cannot be resolved with quick fixes or interim steps.

While we believe e-government has many promising uses, the Estonian I-voting system carries grave risks — elections could be stolen, disrupted, or cast into disrepute. In light of these problems, our urgent recommendation is that to maintain the integrity of the Estonian electoral process, use of the Estonian I-voting system should be immediately discontinued.

Our work shows that despite a decade of experience and advanced e-government infrastructure Estonia are unable to provide a secure e-voting system. So we believe other countries including the UK should learn from this that voting is a uniquely challenging system to provide online whilst maintaining the fundamental requirements of fair elections: secrecy of the vote, security and accuracy. The significant costs of attempting to build such a system would be better directed at other forms of e-government which can provide greater and more reliable benefits for citizens without risking the sanctity of elections.

Read and watch more about this work at https://estoniaevoting.org

 

 

Press Release: Independent Team finds serious vulnerabilities in Estonian Internet Voting System

Ahead of European Parliamentary elections an International team of independent experts identifies major risks in the security of Estonia’s Internet voting system and recommends its immediate withdrawalEstonia’s Internet voting system has such serious security vulnerabilities that an international team of independent experts recommends that it should be immediately discontinued.The team members, including Jason Kitcat from the UK’s Open Rights Group, were officially accredited to observe the Estonian Internet voting system during the October 2013 municipal elections. These observations — and subsequent security analysis and laboratory testing — revealed a series of alarming problems.  Operational security is lax and inconsistent, transparency measures are insufficient to prove an honest count, and the software design is highly vulnerable to attack from foreign powers.

Estonia is the only country in the world that relies on Internet voting in a significant way for national elections. The system is currently used for Estonia’s national parliamentary elections, municipal elections and is planned to be used for the May 2014 European Parliamentary elections. In recent polls, 20-25% of voters cast their ballots online.

Independent security researcher Harri Hursti, who observed operations in the election data center during October 2013, said there were numerous security lapses. “We didn’t see a polished, fully documented procedural approach of maintaining the back-end systems for these online elections,” said Hursti. Videos published by election officials show the officials downloading essential software over unsecured Internet connections, typing secret passwords and PINs in full view of the camera, and preparing the election software for distribution to the public on insecure personal computers.  “These computers could have easily been compromised by criminals or foreign hackers, undermining the security of the whole system” Hursti said.

Assistant Professor J. Alex Halderman from the University of Michigan, pointed to fundamental weaknesses in the I-voting system’s design.  “Estonia’s Internet voting system blindly trusts the election servers and the voters’ computers”, Halderman said.  “Either of these would be an attractive target for state-level attackers.”  Recent reports about state-sponsored hacking of American companies by China and European telecoms by the NSA demonstrate that these dangers are a reality, Halderman explained.

To experimentally confirm these risks, Halderman and his Ph.D. students recreated the Estonian “I-voting system” in their laboratory based on the published software used in 2013.  They successfully simulated multiple modes of attacks that could be carried out by a foreign power. “Although the Estonian system contains a number of security safeguards, these are insufficient to protect against the attacks we tried,” said Halderman.

In one attack, malware on the voter’s computer silently steals votes, despite the systems’ use of secure national ID cards and smartphone verification.  A second kind of attack smuggles vote-stealing software into the tabulation server that produces the final official count.  The team produced videos in which they carry out exactly the same configuration steps as election officials — but with the system under attack by a simulated state-level adversary.  Everything appears normal, but the final count produces a dishonest result.

“There is no doubt that the Estonian I-voting system is vulnerable to state-level attackers, and it could also be compromised by dishonest election officials,” said Halderman.  These attackers could change votes, compromise the secret ballot, disrupt voting, or cast doubt on the legitimacy of the election process.

The team recently arrived at these results and were so alarmed that they decided to urgently make their findings public ahead of the upcoming European elections, explained Jason Kitcat from the Open Rights Group.  “I was shocked at what we found,” explained Kitcat.  “We never thought we’d see as many problems and vulnerabilities as we did. We feel duty-bound to make the public aware of those problems.”

While some of the problems can be corrected in the short term through changes to the system, others stem from fundamental weaknesses that cannot be fixed.  With the growing risk of state-level cyberattacks, the team unanimously recommends discontinuing Internet voting until there are fundamental advances in computer security.

“With today’s security technology, no country in the world is able to provide a secure Internet voting system,” said Hursti.  “I would recommend that Estonia return to a paper ballot only system.”

Maggie MacAlpine, a Post-Election Audit Advisor said, “While Estonia has an excellent e-government system, which they should continue to develop, they should take the Internet voting element of that off-line. Estonia has a well organized paper voting system which they should revert back to.”

The full report and videos explaining the key findings will be published at https://estoniaevoting.org

NOTES FOR EDITORS

For queries contact estoniaevoting@umich.edu or Jason Kitcat at +44 7956 886 508.

The report authors are:

J. Alex Halderman, University of Michigan*
Harri Hursti, Independent Security Researcher*
Jason Kitcat, Open Rights Group*
Maggie MacAlpine, Post-Election Audit Advisor*
Travis Finkenauer, University of Michigan
Drew Springall, University of Michigan

* Authors who acted as election observers for 2013 Estonian local elections

ENDS.

 

Flaws found in Estonian internet voting system – PRESS CONFERENCE by independent team on this Monday 12th May in Tallinn, Estonia

PRESS CONFERENCE 12th May 2014 11:00am — Hotel Metropol, Tallinn

International Team of Independent Election Observers to deliver report on Estonian Internet Voting System

TALLINN, Estonia — An international team of independent experts will deliver their findings on the security of the Estonian E-Voting System this Monday.

This team of renowned experts on computer security and voting systems observed the use of Internet Voting in the 2013 Estonian municipal elections. Ahead of the 2014 European Elections, which plan to use the same internet voting system in Estonia, the International experts will introduce a report in which they explain their observations from 2013 and the results of their security analysis. Their analysis has identified serious flaws in the systems and processes used in Estonian internet voting.

The entire team will be at the press conference and available for interview afterwards to present and discuss their findings.

NOTES FOR EDITORS

For queries contact Jason Kitcat on jason@jasonkitcat.com or +44 7956 886 508

* The Press conference will be in the Hotel Metropol, Roseni 13, 10111 Tallinn, Estonia at 11am on Monday 12th May 2014. The press conference will be in English.

* The report and associated information will be later available from https://estoniaevoting.org

* The team who produced the report and who will be present at the press conference are:
J. Alex Halderman, University of Michigan
Harri Hursti, Independent Security Researcher
Jason Kitcat, Open Rights Group
Maggie MacAlpine, Post-Election Audit Advisor
Travis Finkenauer, University of Michigan
Drew Springall, University of Michigan

ENDS.

Despite the cuts, Green councils deliver

There is no doubt it’s not an easy time to be in local government: The Tory-led coalition are imposing massive austerity measures with councils bearing far more than their fair share of the cuts in public funding. This has been complemented by ongoing public attacks on both council officers and councillors by pugnacious Tory ministers like Eric Pickles, Bob Neil and Grant Shapps. Finally councils are being pushed and pulled between suggestions of more powers being devolved, more central direction on how to do things and massive centrally decided reforms to their funding and legal powers. Local government is a bit punch drunk.

Despite all this, councils can and should deliver. In Brighton & Hove the Green administration came to power in 2011 with a very clear manifesto which we have been working hard to implement. In less than a year Greens have made significant changes, we have:

1. Introduced a Living wage of £7.19 for the lowest paid council staff. We have created a Living Wage Commission for the city which is working with the largest employers to advocate that living wage across the city.

2. Won over £6m of new external funding for major improvements to the city’s transport infrastructure & public spaces.

3. Protected the Children’s & Adult Social care budgets, including for carers – over 2 years they will not change, whilst neighbouring authorities are withdrawing care and support from many in need.

4. We are building the city’s first new council houses in decades, and bringing more empty properties back into use. We are also working with local squatter groups working on ‘meanwhile’ leases for empty properties awaiting development.

5. Introduced a new approach in the council which prioritises openness, democracy & participation – as shown by our budget process, commitment to open data and plans for neighbourhood councils.

None of these would have happened without Greens taking control of the city council in Brighton & Hove.

We’re also unique in how much we’ve protected in our first budget, despite incredible pressure from the government, and ill-conceived amendments from the opposition parties. The Green administration’s budget will:

  • Double capital funding for transport and the public realm.
  • Build new non-academy school places in our best schools.
  • Keep an in-house Youth Service, unlike almost every other council in the country.
  • Preserve the main grant programmes for the 3rd sector at the same level as previous years.
  • Create a new £300,000 grants programme for 3rd sector youth services, and a £150,000 fund to support capital investment in the 3rd sector.
  • Protect Staff terms and conditions.
  • Preserve parks services
  • Keep all our branch libraries remain open, the book fund is growing.
  • Preventing homelessness funding is protected and domestic violence support increasing by £100,000.
  • We will be bringing forward pilots for communal recycling, food waste collection and commercial waste collection.
  • We will be piloting participatory budgeting and neighbourhood councils.
  • We will be consolidating buildings down to a few hubs which will be upgraded to be super energy efficient, have solar panels and support mobile working and hot desking.
  • Will keep pursuing a unique bid for urban UN Biosphere status.

Whilst the government’s austerity measures are forcing back to scale back in some areas, we are still able to make good progress in many important areas. For example we are going to be working towards achieving One Planet Council status in the coming months.

As Greens we’re utterly opposed to much of the coalition’s wrong-headed policies, but we have a duty to make the best of the situation for our residents. If you have elections in your area vote Green this May for more dedicated councillors fighting for fair solutions to the challenges in their areas. Greens deliver.

UK’s central database of electors cancelled

The Cabinet Office today announced what has been pretty obvious for some years. The Co-ordinated Online Record of Electors (CORE) project is dead.

In some respects this project, previously known as LASER, was a classic government centralised database nightmare. At one point its business case depended on sales to marketing companies, but a legal challenge put an end to that (see for example page iv of this PDF), resulting in a complete rethink.

The risk of an online central database was not just of our privacy and error, but that this would become a convenient starting point for the slippery slope to online voting or an ID cards database.

On the positive side some of the work necessary would improve and standardise electoral registers across the country, potentially helping to reduce fraud and error – particularly multiple registrations and failure to notify when moving.

In my view the risks and costs outweighed the benefits. But even with CORE confirmed dead, we should still aim to standardise and improve the UK’s electoral registers, including through the use of Election Markup Language.

Election debrief – some thoughts on the 2011 result in Brighton & Hove

Well that was exhausting! We have emerged from the largest ever Green campaign in Brighton & Hove with the first ever Green-led council in UK history. An incredible achievement building on Caroline Lucas’ election as the UK’s first Green MP last May.

It takes an awesome number of voluntary contributions for a small political party to achieve these kinds of results. It’s impossible to thank everyone who gives their time and skills to support a campaign they believe in. It’s an incredible thing to see and understand that wave of support we’ve had in the past few years. Thank you to each person who has helped us, no matter how big or small their contribution.

As someone who has been deeply involved in the party’s electoral strategy since about 2007 it is quite gobsmacking to see our ambition and our plans realised. Of course things were not straightforward, plans had to be adjusted and so on. Still, we have effected real change. A party with a very different culture and values to the others is for the first time in administration. Real change is possible. I’m involved in all this because I believe this is one of the best ways to change the world for the better.

Now we need to deliver for the people of this city. Thankfully, we have an excellent detailed manifesto to work from, and also the goodwill of many people and organisations around the city.

And no doubt we’ll need their support because we face many challenges: We’ll be a minority administration and our group has 14 new councillors out of 23 and we will have to deal with the cuts and changes the national Conservative-led government will impose on us.

Our group of councillors elected me to be the Cabinet Member for Finance & Central Services. I am humbled by the trust they have put in me to serve the city with this portfolio. Expect more blogging from me in the future on the areas covered by my portfolio.

A quick comment on the election campaign itself: It was disappointing how few hustings there were, it did feel that the local election didn’t really capture the public imagination. I think Labour made a real error, as they did last year over who could win in Pavilion, in claiming only they could form the next council administration. They have further tarnished their name by making claims which have been shown to be untrue. I hope they will reflect on that and hope we can work together constructively whenever we find common ground in the coming 4 years.

For now I’m catching up on sleep, spending time with my family and getting up to speed on all the departments I’ll be responsible for.

Technology is fallible – Questions over Estonia’s e-voting

Just as the terrible problems with the nuclear power stations in Japan are showing us, technology is fallible. That’s a fact, so we must choose carefully where we apply technology, in the full knowledge that it will go wrong at some point. In my view the risks outweigh the potential positives in numerous applications of technology, including electronic voting. The expense of these systems along with the risk that an election result can be tampered with, or appear to be altered, without a verifiable way of proving either what has happened, are too great a risk for any democracy.

This was highlighted a few weeks ago when serious problems emerged with Estonia’s electronic voting system, which I have questioned previously. Reports mention an e-voting supplier being fined for problems with the system and questions over the results as a student identifies a flaw in the system.

The ‘father’ of Estonia’s e-voting system, admitting it was imperfect, sprang to its defence. The Estonian supreme court rejected the student’s challenge to the results on the basis that the flaws were hypothetical and hadn’t been proven to have been used.

This is exactly the kind of doubt and questioning in an election’s legitimacy that e-voting problems enable. A costly exercise in reducing people’s faith in their electoral system.

Paper Vote Canada has more on this story.

Links 9-8-10

  • Some super slides (well worth reviewing in full, links below) from leading computer security experts presented at the US National Institute of Standards and Technology’s workshop in Washington DC on however overseas citizens should vote. Choice quotes below. (via Ian Brown and FIPR)

Prof. David Wagner (UC Berkeley):
http://csrc.nist.gov/groups/ST/UOCAVA/2010/Presentations/WAGNER_UOCAVA2010.pdf

It is not technologically feasible today to make Internet voting safe against attack.
Operating an Internet voting system safely requires expertise and money way beyond what election officials are likely to have.
There is no known way to audit Internet voting. UOCAVA votes might fall “under a cloud of suspicion.”

Prof. Ron Rivest (MIT):
http://csrc.nist.gov/groups/ST/UOCAVA/2010/Presentations/RIVEST_2010-08-05-uocava.pdf

Remote voting is trade-off between franchise and risk
The risks of “internet voting” more than negate any possible benefits from an increase in franchise
Unsupervised remote voting vulnerable to vote-selling, bribery, and coercion.
We may view internet voting as voting on a contraption consisting of a collection of [...] puzzle boxes, all connected by untraceable wires to every possible adversary on the planet.

We do not currently have the technology to make internet voting secure (and may never).
We can’t make such technology appear by wishful thinking, just trying hard, making analogies with other fields, or running pilots.
It is imprudent (irresponsible?) to assume that determined effort by adversaries can’t defeat security objectives of internet voting.
“What are best practices for internet voting?” to me sounds like “Pleash jush help me inshert the key in the lock, (hic), and I’ll be on my way…”

Answering eDemocracyBlog’s case in favour of e-voting

eDemocracyBlog has recently put forward some arguments in favour of e-voting in response to the Hansard Society’s debate on the subject.

The blog’s author (whom I can’t identify) takes issue with a number of my views which I aim to defend here.

I tend to argue from first principles which requirements any electoral system should meet. These are that elections should be secure, verifiable and anonymous. eDemocracyBlog argues that because not all existing electoral systems, such as postal voting, meets these then my views on e-voting are flawed. I don’t agree at all.

I did actually mention at the Hansard event my concerns about postal voting. But when asked to debate e-voting I focussed on the challenges there, that isn’t to say that existing electoral arrangements are perfect — they aren’t. But just because that is the case in no way makes the case for e-voting. It just further re-inforces our need to focus on fixing the current setup.

The eDemocracyBlog writes:


Related to the security point was Kitcat’s comment that delivering PINs to anyone wanting to vote electronically would create a further threat to security. Yet banks generally seem able to handle the process.

Kitcat also said eVoting could enable “ballot stuffing on a massive scale” which the need to photocopy and complete postal ballots makes more difficult. But for a would-be fraudster it should be far harder to get hold of a large number of PINs than it is to get hold of a blank ballot paper and photocopy it.

Banking is a completely different process to voting: It isn’t anonymous, it’s easy to verify because you receive monthly statements and losses are just a cost of doing business – not the outcome of a binding political election where the stakes are much higher.

eDemocracyBlog is apparently unaware that paper ballots have security marks such as stamps, or watermarks which means you cannot photocopy them. This is why fraudsters try to collect postal ballots, because they can’t produce fresh ballots themselves.

Any smart hacker isn’t going to try to break the system by intercepting PINs (for example) in the postal system. They will crack the computer systems centrally and manipulate the authorisation credentials there or just directly manipulate the results. It’s much easier to change the result on one central computer then thousands of postal ballots, for example. We’ve seen electronic voting results cast in serious doubt in the US, Canada, Japan and many more countries.

eDemocracyBlog continues:

As for the possibility of somehow hacking into the system and creating false voting records, it may be possible that details of voters can be held separately from the details of votes, and then matched again during the counting process with each voter told how their vote was registered so that they can report if it was changed without their permission.

If such a process was enabled the vote would no longer be secret, breaching the Human Rights Act (plus our European and UN human rights committments). This would leave people open to abuse, intimidation and family voting. This is not theoretical – it happens with postal voting.

I think Andy Williamson made a telling point that wasn’t rebutted when he noted that banks manage to verify cash machine transactions without ever knowing the cardholder’s PIN.

As I understand it they don’t verify the transactions. They just verify the cardholder details via the PIN. So it’s not the same and it’s very much not anonymous (wave to the camera in the ATM!)

It is also worth pointing out that the current paper-based balloting system is not anonymous either, so again this would seem to be a case of making demands of eVoting which are not equally applied to the existing system.

Only in the UK is our paper voting system not anonymous. In all other modern democracies it is. And citizens of those countries are appalled when they hear of our antiquated system which is a holdover of the Australian system from the 1860s. The Australians switched to anonymous votes before we even adopted the secret (but numbered) paper ballot here in the UK.

Another question is whether any system can be both anonymous and verifiable anyway? If it is genuinely anonymous then who is to tell whether any ballot was cast by a legitimate voter rather than, say, dumped into the ballot box by a corrupt council employee before it is sealed?

Ah, it seems eDemocracyBlog is beginning to come to terms with the difficulty of the problem. It is very difficult to build a digital system which is anonymous and verifiable – in fact I believe it’s not possible with current technology. With paper it is possible, if the paper has security marks so you can trust its source and prevent ballot stuffing.

eDemocracyBlog then goes on to attack the Electoral Commission for failing to set up a certification process for e-voting systems. But it would be up to the Government to empower the Commission to do such a thing, and to provide funds for it to be conducted. It’s my view that certification, while necessary if technology is to be used, doesn’t resolve many of the serious problems with e-voting.

Later on the Commission are again criticised by eDemocracyBlog for failing to develop a strategy for voting modernisation. But this is not a task for the Commission – it is for government to set out their view, try to pass legislation and consult the Commission on the approach.

People do not need to know how something works, or even be entirely confident in its security and privacy policies, in order to use it in their millions. I could perhaps mention Facebook at this point.

This was the same argument made by VoteHere’s Jim Adler against me in the Oxford Union debate on e-voting. Jim argued that people don’t need to understand how a plane works to fly in it. But this misses the fundamental point. With a plane, or Facebook, the results are self-evident. You fly to your destination or your post on someone’s profile appears. With a vote, because it is secret, how do you know it was accurately counted as you intended?

With paper and a public count you are fairly certain, thanks to the known properties of pen and paper, that the outcome will be valid. With an e-vote you can’t have the same confidence.

eDemocracyBlog continues defending e-voting by suggesting the costs will be lower when used on a greater scale than for just the pilots. No doubt, there were one-off costs for the pilots. However I know that several of the providers swallowed significant losses for the pilots just so that they could stay in the market, hoping to win a juicy national contract.

Furthermore the contracts were agreed centrally by the government, not by councils as eDemocracyBlog suggests. So, especially when suppliers provided for several areas, there could have been economies. £58m for weekend voting across our country would be a fraction of the costs e-voting would involve.

There is no need for e-voting to happen. Certainly in the current times of tight budgets, e-voting is extremely unlikely to happen. However I’m sure that it won’t be too long before the spectre arises once more, just because people seem to like the idea of applying technology to everything they can. Thankfully more and more people are becoming aware of the great risks e-voting presents for very limited benefits.