Schneier on Security
A blog covering security and security technology.
« Lessons from the Columbine School Shooting |
| A Sad Tale of Biometrics Gone Wrong »
April 29, 2009
Ireland Does Away with Electronic Voting
They're voting on paper again; smart country.
I wrote about electronic voting machines back in 2004.
Posted on April 29, 2009 at 1:05 PM
• 32 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
In Germany there is a doubt about the use of electronic voting as well, but for different reasons.
Earlier this year, the Federal Constitutional Court (Bundesverfassungsgericht) decided that the use of electronic voting machines in the federal elections of 2005 was against the constitution. They said that the basic constitutional right to open and public elections was offended because a citizen/voter would require special (computer) knowledge in order to be able to check whether the whole election process was carried out correctly. This does not automatically mean that they will go back to paper, but at least that they cannot use the same machines that they used in 2005. Any machine to be used has to be able to let anyone to check whether his/her vote was correctly taken into account and the overall execution of the election process without needing any special knowledge.
The press release (in german): http://www.bundesverfassungsgericht.de/...
From the article, the Irish decision seems to be based on purely economics, not technology shortcomings.
"the Irish decision seems to be based on purely economics, not technology"
hmm, if only the two could be so easily separated. how would you describe the cost of secure technology as a reason...impure economics?
How is the wealthy elite supposed to manipulate the system when you people attempt to ruin their party???
@Mark: "From the article, the Irish decision seems to be based on purely economics, not technology shortcomings."
Which would also be a valid reason. What's the point of using technology if it is more cost effective and equally (in this case more) reliable to use paper?
The Irish didn't use electronic voting in the first place.
There were many problems in introducing electronic voting 7 years ago and the system has now been scrapped. These were many legal issues and concern about secrecy, accuracy and a paper trail.
The vast majority of the Irish have been voting on paper all along. See this link http://www.environ.ie/en/LocalGovernment/Voting/... for more info.
How about a pitcher and some stones ?
Can't believe I read it here - the author of this blog is painfully naive regarding the fraud in paper election - that alone is the reason why the system is popular worldwide.
When I lived in the UK people used to question me on why the US didn't use good-old paper ballots. Part of my response was to list all of the offices and issues that I voted on in the last election when I was a US resident. It included President, Senate, House, Governor, each office in the state cabinet, state supreme court, county clerk, county sheriff, county coroner, several county judgeships, mayor, town council member plus at-large member, several school board positions, and then various bond issues and referenda. I asked them if they were running a board election with that many variables, would they rely on manually-counted paper ballots, or would they want automatic tabulation of the results? I also lived in Quebec during the controversial soverienty referendum, and there were news reports for weeks following about the reasons why particular marks that seemed clear enough to me were deemed to have "spoiled" a ballot. Let's face it, counting votes is tedious, controversial, and expensive.
Just make them open source.
Electronic voting was discredited in Ireland a few years ago. What's new is the government's overdue tacit admission of the unsuitability of the chosen e-voting platform, and so finally disposing of the machines which were costing hundreds of thousands of euros a year to store.
Thankfully we haven't had to use them for a long time but we have been futilely paying to keep them serviceable.
@Douglas2: The EU will have an election this year. The EU has around 490 million people compared to 307 million for the US.
But somehow it is possible to hold an election and get the results within a day with paper ballots.
Yes, it is tedious.
No, it is not controversial. The number of controversial paper ballots is very very small. (No, we don't have "hanging chaffs" or whatever they were called.)
No, it is not expensive. You need the same number of people who help you with the election as you would need with electronic voting. But in electronic voting you also need the people who program the software, run the servers, provide service, etc. Those people are much more expensive because they expect to be paid. In contrast the people who help count the votes do it for free. Printing millions of ballot papers is peanuts vs. many months of software development.
And regardless of the costs, I'd rather wait a few hours or days for the results of an election when I know that everybody can vote in secrect, that everybody is allowed to help in counting the votes, and that everybody IS ABLE to do all that!
You can explain voting with paper ballots very easily:
* every voter can vote in secret, exactly once, and anonymously
* everybody is allowed to check if nobody voted twice
* every voter marks a piece of paper with his/her vote
* the votes are collected in a bin
* everybody is allowed to help count the votes and check if others counted them correctly
Now please explain in the same amount of space how electronic voting works and where somebody can check if it really works correctly.
@Devin Baillie: No, open source voting programs don't help. You also have to make sure and be able to check for yourselves that the executable on your voting machine REALLY came from the source code you just inspected. And not only for one machine but for EVERY machine.
"every voter can vote in secret....and anonymously"
You obviously don't vote in the UK. When I go to vote my name is checked against a list of registered voters and I am given a ballot paper. The unique number on the ballot paper is recorded against my name. Ballot papers and voting lists are retained for a period of - I believe - 100 years.
Theoretically a government could find out how any given person voted. Alternatively they could extract all the papers for a given political party and find out who voted for it. It would be time consuming and tedious, but the sort of regime that might want to do it wouldn't be put off by that.
On the plus side, it's a lot harder to conduct this sort of exercise with paper ballots than it would be with an electronic voting system!
I was on the periphery of the campaign to prevent this system from being introduced. One of the most mind-boggling facts surrounding this matter is that, while those who commissioned and specified the voting systems knew a massive amount about the history of voting in Ireland, they knew close to nothing about securing computer systems and they didn't consult any independent experts until after contracts were signed. Even then, all official examinations of the systems had their terms of references restricted to prevent the inherent flaws being identified. When campaigners tried to point out the issues, they were vilified, leading at one point to the relevant Minister at the time describing the primary lobby group, the Irish Citizens for Trustworthy E-voting (ICTE) as "anti-globalisation anarchists" in parliament. ICTE is made up primarily of academics and IT security experts. The Irish Computing Society, which has authority in the Irish establishment as a "nominating body" for the Irish Senate, supported ICTE, and yet the government refused to listen.
Eventually, a commission was set up, and issued a report in 2006 (http://www.cev.ie/htm/report/download_second.htm), which effectively destroyed any realistic chance of this system being deployed.
The Government at the time, however, didn't take the honourable course and just scrap it because of the amount of political force they put behind while promoting it, and the potential embarrassment such a public move would cause to it. The Taoiseach (i.e. Prime Minister) was still lamenting the fact that Ireland will be "the laughing stock" of Europe with its "stupid ould pencils".
The government, minister and Taoiseach have changed since, and the time is ripe for the announcement.
I am familiar with one of the current minister's advisers, who comes from the IT industry and was also involved in the campaign. I know he is familiar with the technical issues involved. It's politically expedient to ascribe the decision to finally scrap the system to Ireland's economic situation, which is dire, but I'd be very surprised if the Minister is not fully aware of the technical reasons why the system is inadequate.
Personally, I'm delighted this embarrassing chapter of Irish history has come to a close with the correct decision, despite how long it took or how much it cost.
Finally, the joke doing the rounds here is that the Zimbanwean government is interested in buying the machines, willing to pay "billions of dollars" (http://www.xe.com/ucc/convert.cgi?Amount=1.00&From=EUR&To=ZWD).
Smart country indeed. The Irish have a reputation for persuasiveness and blarney, but underlying that is a quick intelligence.
As the old joke goes, "Every time an Irish person emigrates to England, the average IQ of both countries rises". It takes the English a little while to work that one out.
(I'm licensed to retail Irish jokes, being quarter Irish and three quarters Scots).
Yeah, with the system of proportional representation in use here, there used to be great tension during the counting with announcements and subsequent redistribution of votes. All that would have been done away with as well.
@Tom Welsh. The average IQ of both places remains 100. That's how IQ is defined. The English know this but don't want to make you look like an oaf.
I live in Minnesota, in the US (can't be that far from Bruce, in fact).
We use machine-counted ballots. As far as I can tell, this gives us the best of both worlds.
The counting gives us the immediate feedback we want, on as many races and other questions as we like. However, if there are any questions, the paper ballots are still here to be inspected.
Consider, for example, the Minnesota Senate election last year (I hope we know the winner by the end of June). We have the paper ballots, and were able to conduct a recount in excruciating detail.
The big problem remaining is the handling of the absentee ballots, which are paper. That's only a problem because, statistically speaking, Minnesota couldn't make up its mind in this election. If there had been an actual preference, say if one candidate had won by five thousand out of three million ballots cast, the result would be clear.
@Sturat: Please note that having numbers on the ballot paper AND writing the numbers next to the list of the voter contradicts my statement, "every voter can vote in secret, exactly once, and anonymously".
Besides, what happens when you just tear off the number from the ballot paper? Is the vote counted? Is it discarded? If yes, why and on what grounds?
I don't know british law. But I guess, there is something in it that says that the voter's will must be expressed clearly when he voted for something. The teared off number of the ballot paper does not make the voter's will more unclear.
There used to be in Ireland a receipt system, where the voter was given a docket that could be tied back to the ballot. It was done away with in the early '70s when the Supreme Court ruled that this meant the ballot wasn't secret, and gave rise to the possibility of intimidation.
In my country (Denmark, Europe) the handed out ballots are unnumbered.
Furthermore one of the things that will cause a ballot to be declared void is if it has been signed, numbered, torn, signed with a different pen than the ones placed in the booths or otherwise marked in any way that might allow a corrupt vote count observer or participant to confirm that this is the vote he intimidated/bribed a specific voter to cast.
To speed up counting the votes are counted twice: First a rough count looking only at the most eagerly awaited aspects (parties voted for, most important yes/no issues), then the next day a detailed count is done with closer attention to details, counting all the vote specifics (individual candidates, additional yes/no issues, more careful identification of spoiled ballots).
Absentee ballots use a double-envelope system: The absentee voter puts his vote in a blank envelope, then puts that envelope in an envelope with his name and proofs his identity to an official who then puts the outer envelope in a sealed box pending sorting and bulk forwarding to the voters usual voting location in time for the voting starting. At the voting location, outer envelopes matching voters who turned up in person are destroyed unread, the others are opened and separated from the inner envelopes. The blank envelopes are then shuffled, opened and counted.
The election volunteers are mostly appointed by the parties running for election with every task being done by at least two people together. In the US this would mean that every vote would be counted by a Democrat and a Republican together. The very same people who in Florida would be looking over their shoulders to prepare lawsuits.
Now our counting system is not entirely perfect. One known problem is that the volunteers tend to be from the currently elected parties rather than the running parties. Another known problem pointed out a few years back is that the short curtain of the voting booths allows spectators to see approximately how much of the long list of candidates is hanging down below the curtain as the voter is marking it.
In practice, the most commonly caught election fraud here is identity fraud by voters, typically limited to less than 10 votes total.
I'm an Indian and as luck would have it, cast my vote in Phase III of the 5 phase general election taking place in India, *today* itself.
I have voted earlier using the earlier paper ballot format wherein a voter would stamp his choice in a column next to the candidate's name and also using the new Electronic Voting Machine (EVM). The EVM, IMHO is far,far better.
✔ There's less risk of tampering with the votes, thereby reducing the cost that might be incurred in case of booth capturing causing a re-poll in that constituency.
✔ There are fewer invalid votes, because only a single input is accepted.
✔ Counting the votes is much faster.
✔ In rural India where illiteracy is still widespread, telling a citizen to push a button is far easier to implement correctly than having to stamp one's ballot, fold a paper twice over and hope that the vote counter(s) will accept it as a valid vote.
More info here - http://en.wikipedia.org/wiki/...
@sturat and those responding: I used to work in a local government legal department, which is the department usually responsible for local electoral administration. The ballot papers get kept until the time for legal challenge of the election result expires and then they're binned if there's been no challenge. Even for a local council bye election in a safe ward you're talking about several hundred ballot papers, and storage space in local government offices is limited. A hundred years of local and national general and byelection ballot papers would be, to use the technical term, a shitload of paper to store. And ballot papers are printed on cheap, non archive grade paper.
As for ripping the number off the ballot, I doubt any of the vote counters would notice. Might get pulled out as a possible fraudulent ballot if anyone did spot it, I suppose, but if there was enough left to identify it as genuine and voter intention was reasonably clear I could see a returning officer telling the counter to bung it back in after consulting with the canditates' agents to make sure they were happy with the decision.
>They said that the basic constitutional
>right to open and public elections was
>offended because a citizen/voter would
>require special (computer) knowledge in
>order to be able to check whether the
>whole election process was carried out
This is ridiculous reasoning. As a citizen/voter I have no power to find out if my vote was included in the result in a paper-based ballot. The whole process was designed to make this impossible.
It should be desirable but not necessary for electronic systems to exceed the functionality of paper based systems.
Nevertheless, as far as I know nobody has ever tried to do eVoting properly. Instead electronic voting is taken to mean automated vote counting.
In fact it is fairly simple to design a voting protocol which would allow citizens to determine if their vote is in the count. Schneier's Applied Cryptography book describes a couple of approaches.
There are secure eVoting protocols which allow the individual votes to be published on a bulletin board along with serial numbers linked back to the voter. The voter can immediately see if his vote has not been included or changed and can prove it if there is a dispute.
Kermit: Firstly, FYI: The court's press announcement, which is fairly detailed, is also available in English:
Secondly, the reasoning is not ridiculous at all. In Germany (and I guess in most other democratic countries using paper ballots), you can observe the counting of the votes. Besides, the counting is done by several volunteers, for whom it is very easy to understand how the counting works. If computers are used, not even these volunteers have a chance of checking the results.
As a comment on electronic voting, electronic vote-counting, and numbered ballots in the United States:
I have served as an election inspector (person who oversees the voting process) in several municipalities in the state of Michigan, from 2000 to 2008.
During that time, Michigan used two different forms of paper ballots which were counted by machine.
Generally, ballots were numbered with rip-off tabs. The tabs are left on until the ballot is inserted into the machine for counting. However, certain categories of challenged ballots may have the number written on the back of the ballot, then covered with a piece of paper taped to the ballot. If it turns out that the challenged person was not elegible to vote, that ballot can be found and removed.
Another category of challenged ballot may be placed in a special envelope, with numbered tab attached. If the voter shows up at the clerk's office in the week following the election and proves that they had the right to vote, that ballot is then processed through the counting machine and the vote added to the total.
(Obviously, there was a carefully-delineated logical tree which arrived at one of these two end-points. Two other possible end-points were the unchallenged ballot, and being denied the vote upon proof that the person was not elegible to vote.)
However, in almost all cases, the numbered tab is removed from the ballot before the ballot is put in the tabulator.
I suspect that most other States in the U.S. follow this guideline.
Some states (such as Florida) do not share Michigan's law about voter intent. Michigan election re-counts can not attempt to infer the intent of the voter if there is are conflicting marks on the ballot. That vote is left uncounted.
However, voters are often warned by the counting machine if they have made an invalid vote, and are offered the opportunity to "spoil" the ballot and re-mark their votes. If they do not wish to do that, all countable votes are counted and the invalid ones are ignored.
All in all, the combination of paper ballots and electronic counting machines works well, as long as the processes and procedures are correct (and clearly defined).
In my opinion, any voting system which does not involve a verifiable paper trail is untrustworthy.
@Kermit the Bog:
In Finland, there actually is a pretty good system to ensure that citizens can be sure their ballots actually make it to the final tally and are counted. Counting is done at polling stations by representatives of competing parties, polling-station specific results are published, and everything is recounted again centrally, and competing parties can observe that, too. If a single person wants to make sure everything was right, he can just ask the people who counted the votes at the polling station. If all of them collude, well then it's bad luck, but even in that very unprobable case (remember, they are from competing parties) the problem is isolated to that single polling station.
And the ballots aren't numbered.
This system has survived rather tense times in internal politics (times before and after a civil war, for example) and the results have been trustworthy.
The first Finnish e-voting results were just annulled by the Supreme Administrative Court, by the way.
I like what Toronto does in municipal elections. We mark an OCR card, then return it to the voting officers. They place it face-down, without looking at it, in a scanner. If all the marks can be read, the scanner accepts it and the vote is counted. Accepted cards are placed in a ballot box for recounts. If the card can't be read, the scanner rejects it and you're given another card to fill in.
For the U.S. elections it might take more than one card per person and more than one box to store the ballots, but I think it could work and work well.
Another advantage is that when the polls close, the results are already counted. They are sent electronically. The only way to tamper with this vote is to tamper with the total. I presume it could be displayed and phoned in officially with all voting officers witnessing.
Here in Brazil, it is 100% electronic. The media loves it; the government loves it; the people, well, too tech uneducated to think about it, but love the "speed".
Those electronic voting machines were never used.
The government of the day wasted €53m buying them. There was an outcry from the techno-cognoscenti (cryptogram readers all) that the things weren't safe. But the Taoiseach (Prime Minister), Bertie Ahern, had the hard neck to call non-believers in e-voting "Luddites".
The Minister responsible for the purchase Martin Cullen was and is a complete Gobdaw. When demands appeared for an audit of the security of the e-voting machines, the Dutch manufacturer demanded a €250m bond, which would be forfeited in the case the machines source code (i.e. their IP) was published. And Cullen actually wanted to pay that bond!
When a review commission finally decided that e-voting was not safe without a backup paper trail, the machines were warehoused and never used.
But the storage costs for keeping the machines amounted to hundreds of thousands of euros a year, because each of the 26 counties had to have separate storage facilities. And, strangely enough, the storage contracts mostly went to Fianna Fail (government party) cronies.
This fiasco went on for years, until finally a new Environment minister canned the whole thing. He was John Gormley, from the Green Party, a minority coalition partner with Fianna Fail since the last election in 2007.
The whole thing was a joke, and a huge waste of money. It's a international embarrassment for Ireland that so much money was wasted on such feeble technology. And the money was spent by feeble minds.
So, sorry Bruce, it was not a case of cleverness from the Irish, it was a case of politicians who were technically incompetent, and so arrogant that they wouldn't listen to their advisers, squandering millions of the taxpayers money on a ridiculous white elephant.
Grrrr! I always vote in every election (people died for my right to do so), but I never voted Fianna Fail, or the "Mé Féin" party as I call them, meaning "Me Myself".
"Grrrr! I always vote in every election (people died for my right to do so), but I never voted Fianna Fail, or the "Mé Féin" party as I call them, meaning "Me Myself".
As someone who lives a little to the West and South of you I'm thinking that "Me Myself and I alone" might apply to the current incumbrents and their leader in the lower chambers of the Palace of Westminster.
I hope the shenanigins going on in there is providing some light relife for those in other nations who have had "British Political Ideals" foisted upon them one way or another.
Needless to say there has been some amusment over here caused by the connection of "Snouts in the trough" and "Mexican Swine flu" by certain of the more out spoken (and grossley overpaid) talent that passes for entertainment these days (you know it's getting bad when you start praying for re-runs of Cannon and Ball...).
Being as we are members of the great Pork Pie in the Sky of political self enrichment the EU, I'm reminded of the French saying “Plus ça change, plus c’est la même chose” (The more it changes the more it stays the same).
I've effectivly lost the will to vote simply because the greedy little porkers have got themselves so embedded in the system (Think Tony Martin Speaker of the House etc.) It appears a task more akin the Fifth Labour of Heracles (AKA Hercules - to clean the Augean stables in a single day). I wonder if he's free I'd be happy to give him more than a day if he'd take on the job as the Ballot paper does not appear capable of handleing it. Oh and since they introduced postal voting it appears that "One man one vote" has been forever lost here 8(
It brings little comfort after many years of calling Blair and his Puke Babe Cronies "crooks" to be vindicated. Which reminds me I'm owed a fiver on my bet over it, the trouble is it's only worth about 50p of what it was when I placed the bet a year after the Grinning Japernapes was elected by the biggest none voting event of our times.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.