The Australian Capital Territory uses an open-source e-voting solution.Elections ACT
reader comments 128
Share this story
Another election day in the US is rapidly approaching (Tuesday, Nov. 8—mark your calendars!). Millions of Americans will take to the postal system or head out to local polling places in order to file physical ballots, but why is that custom still in place despite our increasingly connected and mobile society? To that end, we’re resurfacing our close examination of e-voting around the world from the last election cycle (November 4, 2012).
I live in one of the most wired parts of the United States—the San Francisco Bay Area—but for the presidential election, I’ve already voted by mail. On a piece of paper.
From the comfort of my living room.
Between folks like me who vote by mail and everyone else who votes by marking paper in some way, we comprise about two-thirds of all American voters.
Approximately 25 percent of all Americans, however, will use paperless and electronic voting machines to cast their ballots on November 6.
Around the world though, these percentages don’t hold.
An increasing number of countries are beginning to tackle e-voting with gusto.
Estonia, Switzerland, Spain, Brazil, Australia, India, Canada, and a handful of other countries have all held elections through the use of electronic voting machines in recent years.
E-voting in the US
While many developing countries are expanding the use of voting technology, many computer scientists, cryptographers, and public policy analysts worldwide are coming to the same conclusion already decided upon in the US: unverified e-voting devices are unreliable at best and dangerous at worst. Read more about the debate stateside in Timothy Lee’s piece, “Paper prophets: Why e-voting is on the decline in the United States.”E-voting was supposed to solve many of the problems inherent in traditional paper voting: it’s difficult for illiterate people to vote, it’s difficult to get physical paper out to all corners of a country (voters abroad can submit their ballot much more easily), tabulating the results takes too much time, physical ballot stuffing or ballot swapping can occur with little or no verification. With an electronic ballot, it’s also, of course, easier to tweak ballots in other languages or to make them available to blind or deaf voters.
As recently as August 2012, advocates in Pakistan and the Philippines called for the expansion of e-voting in their respective countries.
Currently, there are four major types of e-voting around the world that are worth keeping an eye on: Brazil’s homegrown direct recording electronic (DRE) setup, Australia’s open-source software, Estonia’s Internet voting, and a Spanish startup’s efforts to expand what’s been called “crypto-voting.” Each of these approaches has its own unique set of problems, but the primary obstacles they present for many voting officials and computer scientists is their lack of ability to verify source code and expense.
From dictatorship to e-voting in just over a decade
Enlarge / This urna, as photographed in 2005, has been a workhorse of Brazilian elections for almost two decades.
Surprisingly, Brazil has one of the world’s oldest electronic voting systems, dating way back to 1996. While Brazil certainly is a vibrant (and huge, at 195 million people) democracy, it’s a rapidly developing country—you do know it’s the B in BRIC, right? Brazil has gone through significant economic and political change in recent decades.
It wasn’t until 1985 that the country was rid of its military dictatorship, yet, just over a decade later, the country had implemented a locally designed and produced electronic voting system.
As recently as 1996, the country still had 15 percent of the country that could not read or write.
That meant a significant portion (over 23 million Brazilians at the time) of the country were effectively disenfranchised from voting.
The DRE machine, known locally as an urna, is about the size of two or three stacked hardback books, and it has a small screen on one side with a keypad on the other side.
The machine displays a list of candidates, along with their pictures and the numbers associated with them.
Voters use the keypad to type in their preferred number—the device only allows one number to be pressed at a time.
Voters then receive a printed stub confirming that he or she voted.
Each DRE device has two flash cards, which store a digital record of the vote count.
The cards are removed at the end of the election and the vote totals are sent electronically to the Regional Electoral Office, where national vote counts are tallied within just several hours.
“Nowadays we have 450,000 digital ballot boxes in Brazil,” Antonio Esio from the Regional Electoral Office in Sao Paulo, told the BBC in 2008. “We are making more each year because the number of voters is increasing around six percent every election.”
Before the electronic system, voters were required to hand-write the complete names of the candidates and their parties—something many illiterate people were unable to do.
“By adopting it, you are enfranchising voters who might be disenfranchised by complicated ballots,” Tiago Peixoto, a Brazilian researcher with the ICT4Gov program at the World Bank, told Ars.
However, by 2002, some critics in Brazil countered that by relying on an electronic device, there was little actual voter verification.
To use industry parlance, there was no way to verify that the vote was cast as intended and counted as it was cast.
So printers were added, which showed the vote on a piece of paper protected behind plastic.
Two years later, Brazil eliminated the printers, as they were too costly.
The printers were slated to be back (Google Translate) for the 2014 election, but they have since been suspended a second time.
By 2008, the entire software running on the DRE machines was rewritten by developers contracted by the Brazilian Superior Electoral Court.
Six months prior to any election, people who have been accredited by the Court are allowed to come in-person, “in an environment controlled by the Superior Electoral Court,” where experts can examine the source code, under a nondisclosure agreement.
Diego Aranha, a professor of computer science at the University of Brasilia, was one such expert.
But, he said, he and his team were only given five hours in which to examine millions of lines of code—nowhere near adequate to perform a proper audit.
One major flaw he found was that the digital votes are randomly shuffled, as a way to provide extra security while in storage. However, the algorithm to provide that randomness is given a non-random seed: the timestamp.
“I made this assumption because I know how many times people have got this wrong,” he told Ars. “They used a really, really bad pseudo-random number generator available: the seed was a timestamp in seconds.
This is mission-critical software! This is our software for our democracy.”
Despite these problems, so far, Brazil has used its DRE system in its various iterations for nearly two decades without any major political dispute over their use.
In an academic paper published in a forthcoming book, Aranha concluded: “The necessity of installing a scientifically sound and continuous evaluation of the system, performed by independent specialists from industry or academia becomes evident and should contribute to the improvement of the security measures adopted by the voting equipment.”
Looking inside the black box Down Under
Enlarge / The ACT remains the only Australian territory or state to use the open-source e-voting model.
“It’s a black box.” So goes the common refrain from computer scientists and cryptographers who work on electronic voting.
In other words, no one can be completely certain the computer code running on a given device does exactly what it’s said to. Worse still, no one can ever know the software running on the voter’s computer is precisely the same version of the software that was initially certified.
But for over a decade, the Australian Capital Territory has figured out a way to solve this problem (in use across a handful of voting locations): just make the software open source.
The software runs on older PCs running Linux and offers ballots in 12 languages.
There are also ballots available for illiterate, blind, or deaf voters.
Each voter receives a barcode that is read by a scanner attached to the computer. Once the code is scanned, it resets the software to be ready to receive a vote. Once the ballot is complete, the card is swiped a second time to cast that ballot.
The barcodes are not connected to an individual voter, but the software is designed to only allow one vote per voter.
The votes are counted electronically, digitally signed, and sent to a server on a local network.
“We wanted to make it something that people would find trustworthy,” said Phillip Green, the electoral commissioner for the territory, in a recent interview with Ars.
“We’ve likened it to a normal election process where if you’re doing it by hand, everything is available to scrutiny,” Green said. “We shouldn’t have a black box, where you don’t know what it does. Open source code was the way to solve the transparency issue.
So we get the code audited by a professional company and they’re looking for areas in the code that what comes in doesn’t come out and that there’s nothing in there that would allow someone to maliciously change votes.”
In addition, there’s a software keylogger making sure what’s typed in actually matches the votes that were recorded, as a way to prevent fraud.
Green added the IT faculty at the Australian National University in Canberra use the source code frequently as a security auditing exercise for its students.
This system has run more or less without any problems since 2001.
But if it’s so great, why don’t other states and territories Down Under use it? There’s no real reason, but like in the United States, state and territory voting laws and regulations are set at the state level.
The ACT has chosen to go open-source, and there’s nothing stopping the country’s bigger states, like Victoria or New South Wales, from doing the same.
The decision largely has to do with size and expense.
The ACT, Australia’s smallest territory by population, is home to about 365,000 people. (My home city of Oakland, California is bigger!) Only about two-thirds of the population are voters. Nationally, the country has around 15 million voters—so ACT voters represent less than three percent of all voters nationally.
“There’s no practical reason why it couldn’t work these, but it’s a hardware [question],” Green added.
“We’re getting out of our system cheaply by borrowing hardware. We’re part of [the] ACT government computer system and we get monitors that are coming off refresh cycles. We either get the new ones before they get them or the old ones coming off; we’re borrowing monitors. We get out of it pretty cheaply by trying to find cheap and innovative ways, and because we’ve only got five voting locations, we can get away with that. [Other states] might want 50 to 60 sites, and would have difficulty borrowing equipment.
It’s several thousand dollars per machine by the time you get the hardware together.”
Still, despite the success of the open-source e-voting setup, Green says its days may be numbered.
Even though he has his doubts about the security and openness of Internet-based setups, he believes that it, not open-source e-voting, will “be the way of the future.” After all, Internet-based systems can reduce the cost of hardware by allowing people to just use their own computers.
“We’re looking at it for 2016,” he said in a resigned tone.
Internet voting in Estonia
Enlarge / All Estonians can vote online using their digital ID card.
Perhaps the most famous example of Internet-based voting, though, comes from Estonia.
This tiny, post-Soviet country in the northeastern corner of Europe reclaimed its independence in 1991. Within less than a decade, the country was already making progress toward a digital ID card project.
The cards, which look very similar in size to other European Union ID cards or American drivers licenses, possess a front-facing chip that can be read by a small handheld device.
By 1999, the Estonian parliament passed an important amendment to the “Identity Documents Act” and created the “Digital Signatures Act.” This legislature established that such cards and corresponding signatures would be legal in the country.
The Digital ID card became available in 2002 and led to a number of “e-services” that all Estonians could take advantage of.
Through the use of open-source public key-private key encryption software (upgraded in 2011 to 2048-bit), various government agencies have enabled citizens to not only engage in digital contracts, but also to perform various secure functions connected with their identity.
These include financial transactions, public transportation tickets, and student university admissions records.
“What we have in Estonia and have had for eight years is that we have universal notion of digitally signed files,” Tarvi Martens told Deutsche Welle, Germany’s international broadcaster, in 2010. (Martens was one of the leaders of the Estonian digital ID card project at the Estonian Certification Center.)
“If you sign something digitally with your Estonian ID card, it universally replaces a paper written signature and this can be applied anywhere—terminating contracts, creating contracts—everywhere.
Everywhere you’d need a paper signature you can replace it with an electronic signature,” he added.
With that infrastructure in place, the Estonian government began testing Internet-based voting in local elections in 2005.
Two years later, it was expanded out to national elections.
In the 2009 elections for the European Parliament, 15 percent of all votes cast were submitted online.
That number grew to almost 25 percent for the 2011 domestic parliamentary elections.
As a security precaution, voters can submit their ballot as many times as they like during the e-voting window open during the week before election day.
“I-voting is possible only during seven days of advance polls—from the tenth day until the fourth day prior to Election Day,” the Estonian National Electoral Committee states on its website. “This is necessary in order to guarantee that in the end only one vote is counted for each voter.
To ensure that the voter is expressing their true will, they are allowed to change their electronic vote by voting again electronically during advance polls or by voting at the polling station during advance polls.”
Domestically, courts have upheld the use of Internet voting.
In 2011, the Estonian Supreme Court’s Constitutional Review Chamber rejected the petition of an Estonian student who alleged that the voting software—which is not open-source—could be maliciously tampered with so as not to count votes accurately.
Barbara Simons is a computer scientist and former president of the Association of Computer Machinery.
She’s an outspoken activist against e-voting and told Ars that because the Estonian government has never conducted post-election auditing, it can’t be 100 percent sure it works as advertised.
“We don’t know how the Estonian system is working,” she said. “We do know that the second largest party thinks that the voting was rigged in 2011.
The reason they think it was rigged was that the ballot counts online were different than the paper version.
There are possible explanations, but I couldn’t say that it was rigged—there’s no way that anyone can prove anything. [The Estonian government] won’t let independent security experts review it without signing a nondisclosure agreement.”
Simons points out a common refrain by many people who are used to Internet banking—that is, if we can bank online, why can’t we vote online?
In short, it’s mostly because of responsibility and attribution. With banking, you want to know—and have an extensive record—of what actions were taken when, and you associate them with a certain person.
Voting, however, requires secrecy, and separation from a person and a specific identity.
Furthermore, with banking, there is insurance and other precautions put into place to reassure customers against fraud.
“I do online banking because I know the bank will cover it,” she says. “You can’t do voting online—nobody can cover it.”
Or, as two UK-based computer scientists put it in a recent op-ed: “This is like running your bank account without getting statements or receipts, and trusting the bank to keep track of your balance accurately.”
Enlarge / Scytl, a Spanish e-voting startup, has made inroads around the world.
Despite these different approaches, there’s one company that has been getting a lot of attention, a Spanish company with a rather unique name: Scytl.
The company was founded by a Barcelona-based computer science professor, and partially funded initially by Spain’s Ministry of Science and Technology.
It’s now making significant inroads with various government agencies around the world, including Norway, Mexico, India, Spain, and many others.
The company offers not only on-site DRE-style e-voting, but also (most controversially) Internet-based voting.
In fact, during the first week of September, West Virginia said it would provide “electronic ballot delivery” to overseas and military voters in the state for the November 2012 election, joining other jurisdictions in states of Alabama, Arkansas, Mississippi, New York, and Dallas County, Texas.
It’s important to note that for the American market, Scytl does not offer true, Estonia-style online voting. Rather, it provides a way for the ballots to be securely sent to the individual.
“The ballot comes back to the local election jurisdiction and is tabulated in the same way in the local jurisdiction,” explained Michelle Shafer, a company spokesperson.
The company claims that for the locations where Internet-based voting is offered, its systems are true end-to-end encrypted solutions.
This, for example, is currently being tested in local elections in Norway and is scheduled for a nationwide deployment across the country in 2017.
But the company declines to reveal exactly how its setup works on its website.
“Votes are encrypted in the voters’ voting device before they are cast,” the company’s FAQ states. “Only the Electoral Board can decrypt the votes by reconstructing the private key.
The decryption of the votes is carried out in an isolated and physically secured computer by applying a mixing technique that breaks the correlation between the voters’ identity and the clear-text votes in order to guarantee voters’ privacy.”
In a set of slides dated 2011 that were presented at a cryptography conference in Spain, the company alludes to the specific techniques that it is using.
The slides refer to various advanced cryptographic techniques, including homomorphic tallying, which allows for encrypted values to be added, then have the end result decrypted without revealing each individual value.
Scytl’s setup appears to be similar to other cryptographic voting systems pioneered by Ron Rivest, Josh Benaloah, Olivier Pereira, and others with backgrounds in related research and e-voting systems.
“That slide set reads like a bunch of existing crypto voting techniques thrown together with a Scytl logo on it,” e-mailed Ben Adida, a cryptographer and co-creator of Helios.
That’s another similar crypto-voting system that was tested in a Belgian university election in 2009.
“It’s not clear to me at all that this described technology is actually used in their system, since from the little I’ve seen of folks using Scytl, none of this end-to-end verifiability is visible.”
The company does say on its site, however, that “transparency is an integral part of security.”
It explains that election authorities and independent auditors designated by those authorities are given access to the source code.
Authorities can verify this is digitally signed to make sure that the same software that was audited is the same one that is actually used during an election.
So why isn’t the source code given to the public to vet?
“[Voters] don’t have the ability to review the source code of their [online] banking either,” Shafer, the company spokesperson, added.
The slow march of democracy
Despite much of the hoopla (and hundreds of millions of dollars spent) surrounding e-voting over the last decade, there seems to be a considerable amount of evidence against putting too much faith in a system that can’t be verified. With the exceptions of Estonia (which seems to have put domestic concerns to rest) and the Australian Capital Territory (which goes the open-source route), there remain significant concerns with the expansion of electronic voting systems worldwide.
In Australia, like the US, there’s also the large problem of a mish-mash of federal and state voting laws. Not to mention, Australia is a large territory that makes deploying computers expensive and, at least for now, seemingly unfeasible. Here in the US, we would certainly do better with a single, unified voting standard that would take power away from state authorities to have differing voting standards—remember Bush v.
In short: e-voting is a tall order.
It’s difficult to make such systems verifiable (whether through open-source code, an auditable paper trail, and/or cryptography), keep them inexpensive, and maintain the legal backing of the local jurisdiction to support them.
This may be why some voting activists are pushing for “risk-limiting audits.” These don’t even attempt to get involved with the actual procedures in voting, but rather just making sure the votes were counted properly using whatever system is on hand.
It’s a laudable goal to expand democracy as much as possible. Making voting easier, particularly for those who speak different languages or who are blind, deaf, or have other handicaps is certainly admirable. However, without overcoming the multitude of problems that exist in e-voting systems, it’s hard to see how they can move forward in a trustworthy way.