FYI
Lee

Aussies Do It Right: E-Voting
By Kim Zetter
Story location: http://www.wired.com/news/ebiz/0,1272,61045,00.html
02:00 AM Nov. 03, 2003 PT

While critics in the United States grow more concerned each day about the
insecurity of electronic voting machines, Australians designed a system two
years ago that addressed and eased most of those concerns: They chose to
make the software running their system completely open to public scrutiny.

Although a private Australian company designed the system, it was based on
specifications set by independent election officials, who posted the code on
the Internet for all to see and evaluate. What's more, it was accomplished
from concept to product in six months. It went through a trial run in a
state election in 2001.


Critics say the development process is a model for how electronic voting
machines should be made in the United States.

Called eVACS, or Electronic Voting and Counting System, the system was
created by a company called Software Improvements to run on Linux, an
open-source operating system available on the Internet.

Election officials in the Australian Capital Territory, one of eight states
and territories in the country, turned to electronic voting for the same
reason the United States did – a close election in 1998 exposed errors in
the state's hand-counting system. Two candidates were separated by only
three or four votes, said Phillip Green, electoral commissioner for the
territory. After recounting, officials discovered that out of 80,000
ballots, they had made about 100 mistakes. They decided to investigate other
voting methods.

In 1999, the Australian Capital Territory Electoral Commission put out a
public call for e-vote proposals to see if an electronic option was viable.
Over 15 proposals came in, but only one offered an open-source solution. Two
companies proposed the plan in partnership after extensive consultation with
academics at Australian National University. But one of the companies later
dropped out of the project, leaving Software Improvements to build the
system.

Green said that going the open-source route was an obvious choice.

"We'd been watching what had happened in America (in 2000), and we were wary
of using proprietary software that no one was allowed to see," he said. "We
were very keen for the whole process to be transparent so that everyone –
particularly the political parties and the candidates, but also the world at
large – could be satisfied that the software was actually doing what it was
meant to be doing."

It took another year for changes in Australian law to allow electronic
voting to go forward. Then in April 2001, Software Improvements contracted
to build the system for the state's October election.

Software Improvement's Matt Quinn, the lead engineer on the product, said
the commission called all the shots.

"They, as the customer, dictated requirements including security and
functionality, (and they) were involved at every step of the development
process, from requirements to testing," Quinn said. "They proofed every
document we produced."

The commission posted drafts as well as the finished software code on the
Internet for the public to review.

The reaction was very positive.

"The fact that the source code had been published really deflected
criticism," Quinn said.

A few people wrote in to report bugs, including an academic at the
Australian National University who found the most serious problem.

"It wasn't a functional or a security issue but was a mistake nonetheless,
and one that we were glad to have flagged for us," said Quinn.

In addition to the public review, the commission hired an independent
verification and validation company to audit the code, "specifically to
prevent us, as a developer, from having any election-subverting code in
there," Quinn said.

"We were concerned that it wouldn't be secure enough," said Green, the
electoral commissioner. The audit was performed specifically to search for
security weaknesses in the system, but Green says the researchers found
none.

The state tested 80 machines in the election, distributed among eight
polling places throughout Canberra (the country's capital). A comparative
manual count after the election showed that the system operated accurately.

The plan is to use the 80 machines again next year, but Quinn said the
difficulty in deploying the system nationwide is that it would have to be
adapted for use over larger geographic areas.

The machines are not what Quinn would call high-tech. The voting terminal
consists of a PC and offers ballots in 12 languages, including Serbian and
Farsi. The system includes English audio for vision-impaired and illiterate
voters.

The voter swipes a bar code over a reader that resets the machine for a new
vote and calls up a ballot. Once a selection is made and reviewed, the voter
swipes the bar code again to cast the vote. The bar code doesn't identify
the voter; it simply authorizes the voter to cast one ballot.

The terminals link to a server in each polling place through a secure
local-area network so no votes are transmitted over the Internet or phone
lines.

Quinn said the server writes two copies of the votes onto separate discs
that are digitally signed and delivered independently to a central counting
place. The digital signature is a 128-bit unique identifier generated from
the voting data. If the data were changed in transit, the identifier would
change too, raising red flags that something went wrong.

The machine does not include a voter-verifiable receipt, something critics
of U.S. systems want added to machines and voting machine makers have
resisted.

A voter-verifiable receipt is a printout from the machine, allowing the
voter to check the vote before depositing the receipt into a secure ballot
box at the polling station. It can be used as a paper audit trail in case of
a recount.

Green said the commission rejected the printout feature to keep expenses
down. The system cost $125,000 to develop and implement. The printouts would
have increased that cost significantly, primarily to pay for personnel to
manage and secure the receipts and make sure voters didn't walk off with
them.

Quinn, however, thinks all e-voting systems should offer a receipt. "There's
no reason voters should trust a system that doesn't have it, and they
shouldn't be asked to," he said.

"Why on earth should (voters) have to trust me – someone with a vested
interest in the project's success?" he said. "A voter-verified audit trail
is the only way to 'prove' the system's integrity to the vast majority of
electors, who after all, own the democracy."

As for the costs of securing and storing such receipts, Quinn said, "Did
anyone ever say that democracy was meant to be cheap?"

Quinn also believes that voting systems must use open-source software.

"The keystone of democracy is information," he said. "You have a big problem
when people don't have enough information to make up their minds or, even
worse, they have misleading information and make up their minds in a way
that would be contrary to what they would decide if they had the full story.

"Any transparency you can add to that process is going to enhance the
democracy and, conversely, any information you remove from that process is
going to undermine your democracy."

The issues of voter-verifiable receipts and secret voting systems could be
resolved in the United States by a bill introduced to the House of
Representatives last May by Rep. Rush Holt (D-New Jersey). The bill would
force voting-machine makers nationwide to provide receipts and make the
source code for voting machines open to the public. The bill has 50
co-sponsors so far, all of them Democrats.

"If a voting system precludes any notion of a meaningful recount, is cloaked
in secrecy and controlled by individuals with conflicts of interest, why
would anyone buy it?," Quinn said. "At the very least give citizens the
right to choose whether they want to use paper ballots … thus allowing
each elector to be personally satisfied as to the integrity of the process
in which they are participating."

Quinn, who was working in Chicago for Motorola during the 2000 presidential
election, says he is "gob smacked" by what he sees happening among U.S.
electronic voting machine makers, whom he says have too much control over
the democratic process.

It has been widely reported that Ohio-based Diebold Election Systems, one of
the biggest U.S. voting-machine makers, purposely disabled some of the
security features in its software. According to reports the move left a
backdoor in the system through which someone could enter and manipulate
data. In addition, Walden O'Dell, Diebold Election System's chief executive,
is a leading fundraiser for the Republican Party. He stated recently that he
was "committed to helping Ohio deliver its electoral votes to the president
next year.''

"The only possible motive I can see for disabling some of the security
mechanisms and features in their system is to be able to rig elections,"
Quinn said. "It is, at best, bad programming; at worst, the system has been
designed to rig an election."

"I can't imagine what it must be like to be an American in the midst of this
and watching what's going on," Quinn added. "Democracy is for the voters,
not for the companies making the machines…. I would really like to think
that when it finally seeps in to the collective American psyche that their
sacred Democracy has been so blatantly abused, they will get mad."

But he says that the security of voting systems in the U.S. shouldn't
concern Americans alone.

"After all, we've all got a stake in who's in the White House these days.
I'm actually prone to think that the rest of the world should get a vote in
your elections since, quite frankly, the U.S. policy affects the rest of the
world so heavily."






document.onLoad=write_script(randnum)