Lies, Damn Lies, and Six Independent Consultancies

Version 1.4

A relatively small set of justifications is presented by Government and vendor spokesmen in defence of the proposed e-voting system, who will usually cycle from one to the next when a justification is refuted by an interviewer. The purpose of this document is to help interviewers to quickly find a short, effective response to each defence, in order to move an interview along more efficiently. If time allows, the spokesman can be made to exhaust his whole list and begin again, in an entertaining and transparent carousel of lies.

I am indebted to Charlie McCreevy TD, whose speech to the Dáil on 17 Feb 2004 helpfully collected many of the points I am refuting into a single source, thereby saving me hours of research.

The justifications are carefully grouped into three categories: Lies, Untruths, and Distractions. The responses to the justifications can be read in any order.

Table of Contents:

Lies

Untruths

Distractions

Lies

Each of these things is provably untrue, and at least one of the spokesmen who have said it provably knew at the time he said it that it was untrue. Usually this is because he or she has received a report showing conclusively the opposite, and he/she acknowledged the report and accepted its argument and premises but not its conclusion; sometimes it's due to prevarication over terms that have been sorted out in previous exchanges.

Lie 1: Six independent consultancies have verified the system

Six independent consultancies were engaged to examine aspects of the proposed system. They have produced reports. Spokesmen cite these reports in answer to difficult questions, as if anyone who examined the reports in detail would be completely satisfied.

However, if you actually examine the reports, you find that:

In short, the reports analysed several small aspects of the system, but no comprehensive examination of security emerges even if all the reports are combined. This is no slur on the independent consultancies: their hands are tied by the extraordinarily narrow terms of reference given to them. In particular, important security problems surrounding tampering and auditing are not covered by the consultants' remits.

Lie 2: It's a totally open system

The proposed system is generously endowed with secrecy. The source code is treated as a trade secret instead of as a part of the public law.

The configuration of each voting machine is not discernible: in order to dissuade tampering on the day of the election, the machines are sealed, which prevents any effort to examine them — for instance, to verify that the ROM chips actually contain the tested program code and not a surreptitious replacement.

Finally, the suppliers have bitterly resisted any attempt to add an audit trail that might uncover any errors in recording of votes. If the machine makes any errors in recording, no evidence of it will exist that might otherwise expose the suppliers to liability.

Lie 3: The all-party Oireachtas committee endorsed it

The Joint Oireachtas Committee on the Environment and Local Government voted to approve the e-voting proposal only because the Government members, who have a majority, were whipped into making and forcing through that motion. The other parties objected and voted against it.

The vote arose because the Committee chairman had written to the Minister for the Environment, Heritage and Local Government asking him not to proceed to sign the contract until the Committee were satisfied that certain security concerns had been dealt with. On the next Committee meeting, the Department sent along representatives of the suppliers, and one of the independent consultants, who defended their system until the lunch break. After the lunch break, the Government members unveiled their surprise strategy, returned to public session (without the non-Department experts), and forced through the vote.

This is classed as a lie because it attempts to deceive the listener into believing that the Committee endorsement was by all-party consensus.

Lie 4: The system has passed rigorous and independent testing

The system has been subjected to examination, and parts of it have been subjected to testing. But testing components separately is not a practical guide to the result of a system test, as any software engineer will confirm. The only complete end-to-end test that the system is known to have undergone involved only a single race with 2,483 votes. The system has not been seriously tested.

Nor have the tests of components been rigorous, or even complete. See the discussion of the related six independent consultancies lie for details.

Lie 5: There was broad political consensus for e-voting until recently

A recent canard is that there was all-party support for electronic voting until relatively recently, with the implication that opposition to it can be dismissed as mere political point-scoring.

The legislation enabling e-voting is the Electoral (Amendment) Act, 2001 which started life as the Electoral (Amendment) Bill, 2000. Part 3 of the Bill provided for e-voting trials, but Part 4 changed the limits for political donations. The resulting Bill was highly controversial and was eventually passed only by use of a guillotine in both Houses of the Oireachtas.

Concerns about the security of e-voting have been raised early and often. I have compiled a list of the early references to e-voting in the Oireachtas debates at http://www.iol.ie/~aecolley/record.html. In particular, Senator Feargal Quinn pointed out on the very first day of debate that The new system will require an act of faith that the current system does not require. The vast majority of people will make this act of faith but whether they are right to do so is another matter. Richard Bruton TD asked the then Minister to state the form of testing which is being undertaken to proof the system against viruses or tampering but an answer wasn't provided.

Lie 6: The system has been used 70 million times with no complaints

Sometimes this lie is qualified by saying no significant complaints. Complaints have been plentiful, and have generally been addressed to TDs and technology journalists.

Complaints by individual voters to returning officers or to the High Court are not possible, because there is no way to gather evidence that might substantiate any such complaint. Who would complain that their votes were not recorded accurately if they couldn't provide any evidence to distinguish themselves from vexatious litigants?

Lie 7: The system can't be hacked because it isn't on a network

The system is standalone — that is, it has no regular data connection to any other computer or network. Therefore, it would be correct to say that it can't be hacked over a network. But the statement is that it can't be hacked at all. In fact, it can still be hacked by anyone in possession of the machine.

To pick one example out of a field of many possibilities (none of which have been examined by the supposedly-rigorous testing regime), it is possible to write a Microsoft Excel macro which can be entered on one of the count-centre PCs by hand. The macro language has convenient access to the Microsoft Access database which is trusted to hold the electronic ballots. A clever macro could easily modify large numbers of preferences without leaving any obvious traces. This simple example illustrates a possible hacking attack that involves physical access instead of network access.

Lie 8: Voters can verify their votes by looking at the display screen

It is trivial to program a voting machine to display the voter's set of preferences on the display of the machine, but to record an entirely different set of preferences on the ballot module. Because the voting machine can be reprogrammed or modified, this is a real possibility. Because voters have no opportunity to examine the ballot module, they have no first-hand knowledge that their vote is correctly recorded, regardless of the information displayed to them by the voting machine.

Lie 9: There is a full legal audit trail in the proposed system

The proposed system can print out the recorded ballots onto paper. Since there is no evidence that the electronically recorded ballots are equivalent to the votes actually cast, a printout of those electronic ballots is no more reliable.

In particular, the voter is the only person who is able to audit a ballot, for the simple reason that he/she is the only person legally entitled to know the preferences that are cast. After the voter leaves the voting centre there is no way to correlate voters with ballots. Consequently there is no way to meaningfully audit any ballot in the count centre. The special anonymity requirement of voting means that the only auditing which can be done must take place in the polling booth.

With the old paper system, this auditing was automatic without further action — each voter was justifiably sure that his/her vote was recorded exactly as cast, because he/she had exclusive and uninterrupted control of the ballot paper from the time it was franked to the time it was dropped into the ballot box. With electronic voting, the need for auditing persists but it no longer happens automatically (because the voter does not have control over the ballot module). The suppliers of the proposed e-voting system, having failed to identify this requirement during early design, are instead treating it as a frivolous request to appease Luddites. The meaningless printout onto mock ballot papers would appease no-one else, least of all a court of auditors.

Lie 10: VVAT would unconstitutionally endanger the secrecy of the ballot

Since a VVAT is retained in a ballot box for use in checks, it poses no more danger to ballot secrecy than the all-paper system which is handled identically without constitutional problems.

This lie is rooted in an intentional misinterpretation of a VVAT as a vote receipt. Vote receipts are undesirable as they could lead to intimidation and vote-selling; they form no part of any VVAT proposal.

Untruths

These are statements which are untrue, but we can't be absolutely, positively, defamation-suit-winningly sure that the spokesman knows better.

Untruth 1: We won't end up like Florida because they used punched cards

The spectre of Florida's experience in the 2000 election haunts election officials who consider new voting technologies. The fear is that the machines will malfunction in such a way as to throw the result of the election into doubt and cause a constitutional crisis.

Officials often counter this by claiming (falsely) that Florida's problems stemmed from its use of antiquated punched card machines: the implication is that modern electronic voting machines are immune to the same problems.

In fact, Florida used a range of different voting technologies — the problems with punched cards dominated the television coverage only because of the bizarre spectacle of election board members holding punched cards to the light.

Counties which used plain paper ballots or optical-scan ballots simply got on with their recounts, and had few or no problems.

Counties with electronic voting machines had no way to recount, so they simply went through the motions of recording the totals from each machine.

In fact, precinct 216 in Volusia County had a rather interesting problem on election night: when they uploaded their results, it showed up as -16,022 votes for Gore (yes, minus). Subsequent investigation showed that two ballot modules had been uploaded from that precinct, and the totals from the second one replaced those from the first one. More interestingly, the second one had the same total number of votes, but a different distribution: Gore received 16,022 fewer (hence the negative update), and an obscure Socialist candidate received 10,000 more. When the first module was uploaded once more, the figures reverted. The second module has not been found. Investigators ruled out any fault in the module, which leaves only interesting possibilities.

Untruth 2: Objections are due to political point-scoring, not security concerns

Computer experts in Ireland and abroad have made escalating attempts to bring the weight of their opinions to bear on this issue. We have been stonewalled at every turn as the Government and Department of Environment personnel simply refused to acknowledge the validity of any argument whose conclusion is at variance with their own determination to adopt the proposed system.

Eventually the Opposition parties and the mainstream media became aware of the depth of the problems we were talking about. If political parties want to score points and journalists want to sell newspapers by highlighting those security concerns, it is not in our interest to stop them.

The politicisation of the process of objection (which seems to have been substituted for a process of consultation) is unfortunate, but it does not detract in any way from the validity of the security concerns that have been raised.

Untruth 3: It's much easier for paper ballots to be lost or compromised

Paper ballots, which are verified by the voter in each case and held in boxes in public view, are more difficult to lose or interfere with than a pattern of electrons in a sealed electronic ballot module. It's difficult to understand how this could fail to be obvious.

Deputy Nolan referred to a case (Private Members' Business, Dáil Éireann, 17 Feb 2004) in which an entire ballot box was lost, in support of this untruth. A ballot box is a steel object occupying about 27 litres of space (1 cubic foot); an electronic ballot module fits in a pocket. Which is easier to lose? Which is more vulnerable to prestidigitation?

Untruth 4: E-voting's unblemished European record proves its reliability

Lack of proof of errors does not constitute proof of lack of errors.

E-voting systems have failed visibly in European elections, and by design the Nedap-Powervote system (proposed for use here) carefully avoids producing evidence showing whether it has incorrectly recorded votes.

The Belgian e-voting system (which is not Nedap-Powervote) added a spurious 4,096 to one candidate's total on 18 May 2003, in an incident documented by David Glaude. The cause was assumed to be a single event upset (spontaneous bit inversion) of bit 12 of a value in the computer's memory. The error was noticed because the candidate's total was greater than his party's total. There is no reason to believe that a similar event could not occur in the Nedap-Powervote count-centre PCs.

The designers of the Nedap-Powervote system resist accepting the lucrative extra work of adding a voter-verified audit trail to their system. It is in Nedap-Powervote's commercial interest to oppose VVAT, because if VVAT demonstrated that there were any errors in the system, they would be commercially ruined. On the other hand, if they have full confidence in the accuracy of the system, they should be all in favour of VVAT, which would only serve to prove their claims of accuracy.

Untruth 5: A VVAT is only relevant to systems used in the USA

This is an unjustified and inexpert assertion. The voter-verified audit trail has been identified by computing experts as a sine qua non for electronic voting systems, without qualification (geographical or otherwise). Initially the call for a VVAT came from the US, because it was most sorely needed there; but now it's needed here, and Irish experts are correctly calling for it as well.

There is no technological distinction between the Nedap-Powervote system and the various systems used in the US which justifies an exemption for Nedap-Powervote from the VVAT requirement. Representatives of Nedap-Powervote have claimed that there is such a distinction, but they have not been able to substantiate their claim. The laws of information and computation are as universal as the laws of physics.

Untruth 6: Printers are unreliable so we can't use them in voting machines

The Government has answered questions about breakdowns in voting machines by announcing that standby voting machines will be available to replace those that break down during polling. Similarly, and without complication, standby printer units can be made available to replace printers that break down during polling.

Untruth 7: Mixing of ballots makes VVAT check impossible

The VVAT check does not consist of conducting a traditional paper-ballot count to compare with the electronic result, as speakers of this untruth seem to assume. The check consists of collating the paper records to ensure that each electronic ballot has exactly one corresponding physical record. As with the traditional count, there are mathematical shortcuts available which will greatly reduce the work involved (but without sacrificing accuracy).

Untruth 8: VVAT hasn't actually been used anywhere, not even California

VVAT is already used in 31 of California's 58 counties in the form of an optical-scan ballot, viz. a paper ballot marked by the voter and fed into a machine which scans the ballot and generates the electronic record used for the prima facie result. California has not yet had an election subject to its recent decision to mandate VVAT in all counties.

VVAT by the Mercuri method has also been used. For instance, it was used in Southington, Connecticut in November 2003; see The computer is ALWAYS right, RISKS volume 23 number 3. (In the Mercuri method, the electronic record is used to generate the paper ballot, which is then shown to the voter.)

The Australian ballot system (which we've been using in this country for over a century) was also an example of VVAT, where the ballot paper did double duty as the record used for counting and as the voter-verified proof of the vote.

Untruth 9: Source code cannot be released due to security concerns

The computer security industry has a name for this fallacy: security through obscurity. The fallacy is in the belief that security holes caused by bugs in the implementation will be less vulnerable if fewer people are officially allowed to examine the implementation source code. It hasn't helped Microsoft.

Long experience has taught computer security experts that concealing source code means that the bugs are not identified and fixed. Instead, they are found first by black hats who either reverse-engineer the source code or simply illegally obtain it somehow. By the time the bugs are noticed by the white hats, exploitation has been going on for some time undetected.

A famous example is the A5 encryption algorithm used to secure GSM calls against eavesdropping. The details of the algorithm were kept secret, but the encryption was eventually broken, and now A5 is recognised as providing practically no confidentiality.

In contrast, revealing source code often leads to bugs being found by the many lawful reviewers as well as by would-be criminals. By allowing a decent interval between revelation of the source code and deployment of the system in a critical environment, the risk of an undetected bug being exploited is actually lower than in the closed-source approach.

For more discussion and examples, consult the writings of vocal security experts Bruce Schneier and Ross Anderson.

Distractions

These are things that are irrelevant to the subject under discussion. They are thrown in to the interview in an attempt to muddy the waters, or to confuse the issue. A lot of political discourse consists of answering questions that have not been asked; such answers belong in this section.

Distraction 1: We must adopt this system in order to eliminate spoiled ballots

E-voting systems are able to prevent accidental spoiling of ballots or to alert the voter to potential errors before the vote is cast. However, this is true regardless of whether the e-voting system has a voter-verified audit trail or not. This gambit attempts to distract the listener from the fact that the substantive issue is all-electronic versus voter-verified, not electronic versus all-paper.

Distraction 2: E-voting is important for improving voter turnout

Experiments in the UK have shown that turnout is not improved by use of e-voting. Turnout is improved by use of remote e-voting, but we may be grateful that the Government is not even attempting to adopt such a system.

A report of an e-voting pilot in the UK said:

Turnout in the May 2002 local elections in Stratford on Avon was slightly higher than for the May 2000 elections, at 42% as opposed to 39% in 2000. This increase was consistent with the national trend across all local authorities.

The district council was able to ensure that each presiding officer could monitor how many electors had voted during each hour by obtaining a running total from the machine. Although no assessment has been made of whether there were any significant differences in turnout between urban and rural polling stations, it would be possible to determine this with the information available.

Some members of the local media indicated that that they had received information that voters had encountered difficulties at a significant number of polling stations and as a result had not voted. They also noted that some of the candidates had contacted them because of their concerns about this, and also that the electronic voting pilot might have indirectly had an impact on the outcome of the election. Some voters also felt that the certainty and secrecy offered by the pencilled cross had been removed and that the pilot was in fact a deterrent to voting.

It was also noted that the electronic system did not attract substantially more young voters.

(Source: Evaluation of Pilot Scheme in Stratford on Avon during the May 2002 Local Elections, The Electoral Commission, 2 May 2002.)

Distraction 3: Millions of Dutch, German and French voters can't be wrong

We are told that the sophisticated European countries which have adopted this system or a similar one would not have done so if there was a doubt about its reliability and security. This is an attempt to evade the debate by appealing to cognitive dissonance: if the system is insecure, then it implies that Ireland would be right to reject it, and we would therefore deserve our high-technology reputation, contrary to our traditional national inferiority complex.

In fact, the other countries that have adopted unaudited e-voting unambiguously have made a serious mistake. It may not be Ireland's place to tell other countries how to run their elections, but there is no reason for us to repeat their mistakes.

Distraction 4: The software correctly records the votes

The software can be reprogrammed between the test and the election. Indeed, the word software comes from the ease with which it is replaced. The security concern is unanswered by the putative correctness of the software that is replaced.

Distraction 5: Returning officers will have smartcards and PINs to control access

Access to each count-centre PC will be protected by a smartcard reader and a PIN number, both of which will be possessed only by the returning officer. This is supposed to guarantee that only the returning officer needs to be trusted with the election.

When a software update is delivered for installing on the PCs, it is unlikely that a returning officer will personally vet the program to be installed; rather he/she will have to trust technicians to install the right update and to ensure that it's safe and correct. In their turn, the technicians will have the opportunity to switch or infect the program, but won't have a practical way to be sure that someone else hasn't already done so.

Whatever is installed on the PCs, it is likely that the returning officer will use his/her smartcard and PIN to authorise it. What reason could he/she give for refusing?

If this sounds like an impractical attack, then the following anecdote (from the patch entry in Eric S. Raymond's Jargon File) may give you pause:

There is a classic story of a tiger team penetrating a secure military computer that illustrates the danger inherent in binary patches (or, indeed, any patches that you can't — or don't — inspect and examine before installing). They couldn't find any trap doors or any way to penetrate security of IBM's OS, so they made a site visit to an IBM office (remember, these were official military types who were purportedly on official business), swiped some IBM stationery, and created a fake patch. The patch was actually the trapdoor they needed. The patch was distributed at about the right time for an IBM patch, had official stationery and all accompanying documentation, and was dutifully installed. The installation manager very shortly thereafter learned something about proper procedures.

Distraction 6: Computers are used to run aeroplanes and banks, why not e-voting?

Aeroplanes are run by the pilots with the assistance of computers, not by the computers alone. No pilot would accept responsibility for a flight on which he or she would be dependent on the correct operation of the computers for the continued safe operation of the flight. There is always a manual backup.

Banks always have an audit trail. Because there is no requirement for anonymity with bank accounts, it is possible to trace any transaction to the identities of the parties involved. The secret ballot has an anonymity requirement; this means that a form of auditing which does not link the ballot with the voter is needed; it does not mean that auditing can be neglected. No bank could satisfy auditors that their account balances were correct using only assurances about the security of their computer equipment.

Distraction 7: Opponents of the system aren't all credible experts

ICTE are an ad hoc group of Irish citizens who agree with the group's stated goals. Although the group includes information technology experts, they do not claim to be unquestionable authorities, and they do not make arguments from authority. All of the group's statements are independently verifiable by anyone who makes the effort.

In particular, criticism of ICTE's members does not amount to criticism of ICTE's arguments.

Adrian Colley <aecolley@spamcop.net>

ChangeLog

What's changed in each new version of this report:

1.1

Added version number and ChangeLog.

Added style sheet and table of contents (courtesy of Kevin?).

Reworded status quo paragraph in Untruth 4 to be less ambiguous (courtesy of Aengus).

Typo: sarificing.

Added details of non-Mercuri VVAT systems to Untruth 8 (prompted by Cian).

Inverted fallacy explanation in Untruth 9 from more…if more to less…if fewer to make the following jab at Microsoft a bit clearer.

Changed are more able to are able in Distraction 1 because there isn't a than.

Added links to cited debate fragments, and marked-up some abbreviations.

Added <base> element and made links relative.

Reformatted and restyled the block quotes so they more closely match the presentation in their parent documents.

Retitled Electoral Commission report title to match that in the downloadable PDF file.

New Lie 10.

Disambiguated e-voting in Untruth 4.

Added Valid XHTML 1.0! logo.

Replaced ballot-module-shim hack in Lie 7 with an easier one suggested by Joe.

Added GSM example to Untruth 9 (provided by Joe).

Adopted a more accurate summary of the only known system test, in Lie 4. Provided by Joe.

1.2

Style sheet no longer applies to print, so it will look better.

Reworded the preamble to Lies to avoid inadvertently accusing additional spokesmen who don't necessarily know the truth. Thanks to Michael.

1.3

Replaced 54% with 31 out of 58 in Untruth 8 (information from California Secretary of State website).

Added Distraction 6.

Added Distraction 7.

A newly-announced end-to-end test (the Buncrana UDC test) replaced the old one in Lie 4.

1.4

Added Valid CSS! logo.

More markup (links and acronyms).

Changed Untruth 8 to account for Super Tuesday: California have now had an election, but it wasn't subject to the recent VVAT decision.