E-Voting

At my last Union branch meeting, we heard from Gemma Short of the right to strike campaign. As one part of her presentation she mentioned that one of the Unions’ response to the recent Trade Union laws is to demand that they can run strike ballots (and the mandatory political levy and elections) using e-voting technology. I have been thinking about this for a while and its fans need to take stock; there’s some inconvenient truths.

Better?

Bruce Schneier, in a 2004 essay, posed four requirements, that voting systems be fast, accurate, scalable and anonymous. To these I add, transparency. The London mayoral election of 2016 shows that it’s not always faster, although they use statistical manual controls to enhance accuracy, and they only use e-counting technology, but that e-counting is not necessarily quicker, it’s not cheaper, it’s not more accurate and is not more transparent, in fact it’ll usually be less transparent. Schneier comes to the conclusion that the case for using technology in large scale public elections is not compelling.

Transparency

Neither voters nor candidates can know[1] what compiled software does. It’s a black box and it will have bugs and it is not possible[2] to digitise the concept of a “counting agent[3]”. Some of the controversy around the recent Venezuelan elections comes from this; when the software vendor testifies, who knows if they are telling the truth.

One defence against code opacity is to use open source, interpreted code. In some extreme cases, two (or multi) signature compilations are performed. It’s not crucial tha the applications performing the work are designed to produce application logs. This is now so important that the ISO IT Security standards mandate such logs, ISO 27001 A12.4 and have done for a while.

Accuracy

Keeping the software secure is a significant problem, Schneier, baldly states that it’s not safe to run these systems over the internet. Estonia is the poster child for e-voting, and I look at what people say in this article, Pictfor: Democracy 2.0 where I reference a number of critics of Estonia’s e-democracy as fundamentally insecure. We should note that Estonia has/had an electorate of 500,000; the Labour Party and the leading Unions are all larger than that.

Turnout

In public elections, there is no evidence that e-voting increases turnout, what evidence there is, is that there is a substitution effect, that the young drop out and older persons participation increases.

Hackable?

Both Unions and the Labour Party use Election Reform Services to run their ballots. ERS is regulated by UK law including the Investigatory Powers Act (IPA) and they carry their traffic/votes over the internet. They can be mandated to place backdoors into their systems for use by the intelligence services and unless one obfuscates one’s internet use, your act of voting is monitored and captured[4] by your ISP. The IPA maintains the intelligence services’ mandate to protect the ‘economic security’ of the nation. I once thought this might be about protecting UK Ltd’s intellectual property, but it’s the purpose that allows the intelligence services to monitor and penetrate and influence the Trade Unions and the environmental movements. GCHQ, probably, has the greatest hacking capability available to anyone in the UK[5], and the internet has no borders.

Governance

Returning to the Labour Party and e-democracy, the rules state that the General Secretary is the returning officer and must appoint an independent scrutineer. The problem would seem to be that not only is the software a black box, the Scrutineer’s correspondence remains confidential. If the Scrutineer is the ERS, then they have a conflict of interest between being independent and winning the next contract. Labour’s elections need to meet higher standards of transparency. The proposal to remove votes from the 2015 Leadership election challenges confidence in the accuracy of the results. If votes can be removed, they can be removed in secret. I return to the concept of counting agents; the best protection is partisan observation. At a national level, in my last article on Renewing Labour’s Democracy, I say,

Elections to have independent observers who are to report to the Labour Party and its membership. This report is to be seen by all members. This role is designed to act as a check and supervision of the returning officer and the ballot management service.

This is not necessarily an attack on McNicol’s integrity, just a plea for a transparent segregation of duties and an accountability to the voters/membership.

E-voting systems are very hard to build, and it may be impossible to build a system that protects the secrecy of the ballot and provides a transparent result.

ooOOOoo

[1] Proprietary software is often passed through an obfuscation stage to make reverse engineering harder.

[2] If you use their code, you’re not independent, if you use yours, you’ve hacked their system and it is now unsafe; because if you can read, you can probably write.

[3] A counting agent in UK elections is appointed by the candidates to watch the returning officer’s staff and give confidence through partisan observation that the count is conducted fairly.

[4] Only the act of voting not what you choose to vote.

[5] Estonia has borders with Russia, which has an interest in the results of Estonia’s democracy. IT Security is a question of scale.

1 Comments.

  1. Amended to include comments on open source and ISO 27001 A12.4.