Moderator: This post is partly a response to this earlier contribution by Jason Kitcat.
Daniel Gray (Bournemouth, Senior Software Consultant): E-Voting systems are, by their very nature, complex systems that involve segregation of processes, advanced cryptography and rigorous development methods, and Jason is correct to point out that administration of such complex systems is a difficult area to address. It is therefore unsurprising that many of the current implementations of e-Voting systems have been, shall we say, lacking in a number of key areas. Academics tend to concentrate on the development of a new idea (for example a cryptographic protocol) rather than attempting to build a complete functional system that can be used correctly by stakeholders ranging from electoral administrators and council workers to the general public.
But this doesn't mean that such a system can't be built: simply that it is unlikely to emerge organically from academia or from the Open Source Software community. The only realistic environment that's going to be able to engage all the stakeholders and create an electronic voting system is the business community, and only then if there is the incentive of a ready market. It wouldn't be cheap to develop (the cost of a team of 10 developers working for a year would be around £400,000 for salary costs alone), but the cost of developing and implementing e-Voting systems pales in comparison to the costs of other government sponsored initiatives (see the NHS computer systems, ID cards, etc.) and can be further mitigated by leveraging the solutions into non-statutory commercial environments.
In fact, remote voting systems are similar in many ways to already existing sensitive on-line applications (despite Jason's claims) and many of the lessons learnt in the remote banking sector can be applied to the remote e-Voting sphere. Verifiable auditing that guarantees immutability of audit records, message tracking and double checking, exception reporting, all of these are applicable to the area of electronic voting.
One final thing, which I hear denied so often by people that do know better, and on which the whole debate about e-voting seems to turn: currently voting in the UK is NOT anonymous! Your ballot paper has a number on it, and the number is written down against your name on the electoral roll. This information can only be released under judicial order, but it is entirely possible for your vote to be found after it is cast. We've had this system for over a 100 years, and it seems to be the elephant in the room for the anti-e-Voting campaigners in the UK. Because of this legal requirement e-Voting systems can be very similar to banking and e-commerce systems, since there is always a final link that can be examined by a judge if severe problems arise.
E-voting, in other words, may be complex to implement and administer, but is technically feasible to develop, and not too dissimilar from already existing, secure commercial systems - and has the potential to duplicate, or even improve on, our existing 100 year old system.
Comments
"Why are such non-statutory commercial environments not already driving the development of such ’solutions’?" - Because non-statutory requirements are nowhere near as stringent as statutory requirements. You can take a system developed for a statutory environment and run it in a non-statutory environment but not the other way around.
Thanks for your comments Louise, good to have another voice in the debate!
"These figures look a little… quaint. The software development costs are in any case only a small part of the equation." - Sorry about that, the original article text had more detail and expanded on the scope of cost (infrastructure, overheads, analysts, support, etc), but we cut back a bit as the article was quite lengthy.
My problem re anonymity is the continued proclamation that elections MUST be anonymous when conducted electronically by people who know that under law they can't be! If no mention of anonymity was made at all I would have no problems with it.
"The e-voting debate does not, however, ‘turn’ on this, as Daniel Gray puts it." - It does, in a way. One of the arguments is that you can't have accountability because you must have anonymity. Well - if you don't actually have full anonymity you can have accountability.
I'm sorry you've had such bad experiences with the banking industry with regards to fraud, I must admit to never having had any such problems (although I fear I may have just invoked the unspeakable law).
"I don’t propose allowing thousands of civil servants and politicians to have similar access to my voting data" - Neither do I
"(and having data available to a single election judge under order of an election court investigating fraud on an election is just not the same as having that same data printed out and popped in the post every month, or sitting on systems accessed by hundreds of thousands of people.)" - Quite right, identifying information should be very strictly controlled (as it is in our system), and should only accessible by 2-3 individuals (to prevent loss of a single token preventing access to the entire dataset). I'm not sure what that aside was meant to be saying, as I don't believe anyone would ever condone allowing such highly sensitive information to be so easily accessed, and any system developer that allowed it to shouldn't really we working on the pilots program.
"the purpose of the ORG report on 2007 elections was reporting on observation of the workings of pilots and modernisation methods implemented at a particular election" - I'm going to have to correct you a little there, the purpose of the ORG report seemed to be to report only on the problems. No mentioned was made of the success of the Dover e-counting trial, nor do I remember seeing any generally positive comments... does that mean that nothing positive emerged from the trials, or that there was a deliberate slant in the writing of the report? (I've been assured that the observers went in with an open mind).
"Jason is correct to point out that administration of such complex systems is a difficult area to address." - It is not just the administration of such systems that involves complexity. It is the systems themselves. On election night 2007, I saw developers attempting to fix holes in their systems at 3 a.m. and beyond by coding on the hoof, with a Returning Officer tearing his hair out at their inability to process and merge data without losing chunks of it. If only it were merely the administration that caused problems.
"But this doesn't mean that such a system can't be built: simply that it is unlikely to emerge organically from academia or from the Open Source Software community." - I don't think anyone has suggested they will.
"Academics tend to concentrate on the development of a new idea (for example a cryptographic protocol) rather than attempting to build a complete functional system that can be used correctly by stakeholders ranging from electoral administrators and council workers to the general public." - All the systems operated during the 2007 pilots were from commercial vendors. None came from academics.
"The only realistic environment that's going to be able to engage all the stakeholders and create an electronic voting system is the business community, and only then if there is the incentive of a ready market." - There is a vast market - worth tens of billions of dollars - in the USA, where voting vendors compete with one another from state to state. This market has existed for some years.
"It wouldn't be cheap to develop (the cost of a team of 10 developers working for a year would be around £400,000 for salary costs alone),..." - These figures look a little... quaint. The software development costs are in any case only a small part of the equation.
"...but the cost of developing and implementing e-Voting systems pales in comparison to the costs of other government sponsored initiatives (see the NHS computer systems, ID cards, etc.) - I'm not sure the 'it could be worse' argument is the right one to use. Why not try to assess the actual costs, and the benefits? The cost per capita for e-voting (for users of e-voting, not non-users) is a good place to start. A comparison with cost-per-capita for other methods might also be worthwhile. We are all taxpayers, and would be interested in these figures. An assessment of the opportunity cost of implementing e-voting might also not go amiss. After all, governments are always telling us they are short of money and don't want to raise taxes. And we currently spend an enormous 'nothing' on fraud prevention measures, according to the election judge in the Aston and Bordesley Green cases.
"and can be further mitigated by leveraging the solutions into non-statutory commercial environments." - Why are such non-statutory commercial environments not already driving the development of such 'solutions'? After all, there are plenty of non-statutory commercial environments driving the development of, say, video or voice over IP, or sat-nav, or social software, or any manner of wonders. Or is the argument that there is some kind of market failure (in the technical economic sense) in the case of e-voting, that needs to be addressed?
"In fact, remote voting systems are similar in many ways to already existing sensitive on-line applications (despite Jason's claims) and many of the lessons learnt in the remote banking sector can be applied to the remote e-Voting sphere. Verifiable auditing that guarantees immutability of audit records, message tracking and double checking, exception reporting, all of these are applicable to the area of electronic voting." - It is not necessary to go to remote banking to find such features: they've been present in all kinds of systems for decades. Unfortunately they are not 'sufficient' for statutory voting over the internet (the method preferred to date in the UK). The best primer on this material is the SERVE report, put together by Avi Rubin, Barbara Simons and others, in response to the US military's proposals for remote electronic voting. I commend this report to anyone interested in the issue.
"One final thing, which I hear denied so often by people that do know better, and on which the whole debate about e-voting seems to turn: currently voting in the UK is NOT anonymous! Your ballot paper has a number on it, and the number is written down against your name on the electoral roll. " - Everyone in the voting arena knows full well that where there is an election petition, a court may issue an order for the sealed packets to be unsealed and the votes examined. This is no secret: the information is on every council website! The e-voting debate does not, however, 'turn' on this, as Daniel Gray puts it.
"We've had this system for over a 100 years, and it seems to be the elephant in the room for the anti-e-Voting campaigners in the UK." - I don't see it as an elephant in the room. It's law. Just like first past the post. And it's one of my bugbears. As is the requirement for ballot designs to follow the non-expert pronouncements (in laws) of a bunch of politicians who know nothing about good forms design or interaction design, which often results in badly designed ballots (largely responsible for the recent fiasco in Scotland). Again, something mentioned only 'in passing' in ORG publications. If people mention only in passing, or do not mention, a law they cannot change, when they are studying something else (the purpose of the ORG report on 2007 elections was reporting on observation of the workings of pilots and modernisation methods implemented at a particular election, not opining on the shortcomings of UK electoral law), is this an 'elephant in the room'?
"Because of this legal requirement e-Voting systems can be very similar to banking and e-commerce systems,..." - Perhaps others would be happy with a government official telling them how they voted over the counter at their town hall. I don't find myself quite so happy to share in this way. And my experience over many years as an ethnographer of technology use (in contexts including work and home) leads me to believe that removing secrecy of the ballot would be detrimental to the democratic process.
As far as lessons from banking and e-commerce go, in the last month, my own credit card has been 'compromised' (in the words of my bank), my bank details have been stolen from the major UK web hosts Fasthosts (along with those of some tens of thousands of other victims), my partner's credit card has been compromised, and my partner's daughter's details (along with relevant bank details) are on the 'lost in the post' HMRC CDs. While in some of those cases the relevant institutions (which all mislaid some of our private data) have assisted us in mitigating the effects of the fraud (I await HMRC-related developments), it is nevertheless the case that this was only possible because we have had extensive discussions with numerous employees in financial and commercial institutions about 'exactly how I voted with my money', and they have been able to compare this with 'how other people voted with their money'. I don't propose allowing thousands of civil servants and politicians to have similar access to my voting data (and having data available to a single election judge under order of an election court investigating fraud on an election is just not the same as having that same data printed out and popped in the post every month, or sitting on systems accessed by hundreds of thousands of people.)
And I don't see why a current aberration in UK law - and it is a historical aberration, which is not found in many other democratic countries - should be somehow twisted to form the very foundation of a future voting system. Two wrongs do not make a right. Coercion and vote buying are real problems (witness what has happened in some old people's homes, or the move in Italy to ban mobile phones in polling booths, to take just two examples) and we should not be seeking to make it trivial to see who voted which way. The Australian ballot was instituted for a reason: because of fraud resulting from lack of secrecy and consequent coercion and vote-buying.
Of course, this would be less important if we did not live in a representative democracy (another 'white elephant' ORG perhaps didn't mention?). But that's another issue. And I've rambled on long enough.
In the meantime, I await the arrival of new and splendid e-voting systems from Britain's major banks (based on their expertise with remote banking) 'with interest' :-) (though my suspicion is they have their hands fairly full tight now, firefighting fraud, collapsing lending markets, collapsing institutions and falling share prices).
Hi Tony,
Thank for comments, I'd like to address a few if I may
"The issue of anonymity is not an elephant in the room" - it is from the perspective of those campaigning against eVoting. The Open Rights Groups reports and fact packs only mention that we don't have fully anonymous elections in foot notes or completely omit the requirement. A recent presentation by Becky Hogge that I attended stated that an eVoting system MUST be anonymous without mentioning that the current voting system isn't. This isn't really playing fair, you may not agree with the non-anonymous ballot, but you're can't simply ignore it.
“This teapot dribbles, make sure the new one does as well” - that all depends on whether or not you think the anonymity link is a bad thing or not. Any new eVoting system has to adhere to the Representation of the Peoples Act and as such you've got to change the previous system first!
"such system developed by the commercial sector needs its algorithms and source code open to analysis as if it were." - a very good point, and something that worries me personally. I'm all for openess, and if the decision were mine (it's not) I'd let anyone see the source / system architecture. As it stands within the pilots program we've got multiple companies competing against each other which isn't exactly conducive to the open sharing of this information. I sincerely hope that this changes in the future, and is something that I'm actively working on.
The issue of anonymity is not an elephant in the room because it always gets brought up by those selling voting systems. The two key points here are a) should the current system be used as the benchmark for the new? the "This teapot dribbles, make sure the new one does as well" argument and b) where as it is demonstrably true that the information to link votes to people is unavailable to those counting and tallying votes while they are doing so, the cloak of obscurity round the electronic voting systems as used in this years UK pilots give no such assurance.
While I agree that is it is very unlikely that academics or the Open Source movement will develop a fully working, cryptographically secure voting system and such system developed by the commercial sector needs its algorithms and source code open to analysis as if it were.
Post new comment