Australian Electoral Commission Says E-Voting Is Coming, But It's Hard

The Australian Electoral Commission is having a bad few weeks. After being forced to recount the votes for Western Australian Senate seats, the AEC declared it had lost around 1400 ballot papers, opening up a Pandora's Box of problems including potential by-elections, recount demands and court cases. It's easy enough to say that this could all be solved with computers and fancy e-voting, but the Electoral Commissioner isn't so sure.

Speaking to ABC Radio this morning, Electoral Commissioner Ed Killesteyn said that it's likely Australians will experience some sort of e-voting platform in future, but the road to digital democracy is a tough one.

"There is a trend or certainly a good debate that is needed about electronic voting, and i think it is inevitable that there will be some e-voting in the future," Killesteyn said, adding that throwing some internet at the problem isn't an instant fix.

"We have to be careful that we suggest that there’s an easy solution to [eliminating error]. If I was to provide the same voting facilities for all 14.7m voters [via electronic means], I would need 120,000 e-voting machines deployed across the country, and I would have 33 days to do it because the [election] date is not known. The notion that there is a simple solution through e-voting needs to be considered," he added.

The Commissioner and the AEC outed a discussion paper last year to get the conversation around e-voting started.

Would you trust voting via the internet?

Image via Shutterstock


Comments

    Haven't they heard of the internet ? Other departments , notably the ATO have developed e-tax which has much more volatile information than the security needed to vote some drongo into Canberra - and those that don't have access to the web can still go thru the traditional rigamarole
    or postal etc I cant believe the AEC just use the electoral roll database to print out hard copies to each booth to rule a biro through !

      I agree with your last point. A connected method of marking the roll would actually prevent someone voting multiple times, instead of just punishing them after the fact, and not being able to remove their extra votes.

        The last ACT election had a system that did just that

      There are several reasons why you don't want people voting in their own home on their own computer.
      First, there is the basic issue of a virus/worm influencing an election. Sure, people use e-tax to do their tax, but there isn't much systematic gain to be had from rigging someone's tax. An election is a different story.
      Second, it allows for verifiable vote-buying or bullying. In the ideal system, you want someone to be able to check that their vote was counted for who they wanted, but not be able to prove to anyone else which way they voted. That way, no-one can threaten you to vote one way or another because they can't check if you actually did vote that way or another.
      Third, the Internet is not secure. SSL connections are only as safe as the keys (at best) or the certificate provider's willingness or ability to generate a fake certificate (at worst). Certificate pinning can reduce risks, but ultimately it remains a problem.

      Adding real-time lookup of who has voted at polling stations, in addition to crossing people off on a list would be a good idea, but even if someone is listed as having voted then they should be able to vote and have the vote provisional until the hardcopy lists can be checked. Otherwise an attack could turn away voters incorrectly and there is no recourse.

      Electronic voting isn't inherently a bad thing, but because of the operation is essentially opaque when running it is high-risk. Electronic voting at home is inherently a bad idea.

    Can;t the Government setup an online voting platform? Surely it can't be that hard. There wouldn't be any more tampering than there is now.

    as much as i'm a fan of all things tech, i still feel that e-voting is soo open to hacking/manipulation etc..

    I wouldn't register to vote online, its too big a target for hackers.

      Precisely this.

      I mean, just look at all the issues that the in-person e-voting machines have had in the US in their previous elections, and those things were supposed to be offline. There are way too many things that could go wrong with voting taking place over the internet even before you get to the illegal stuff.

      I think if this system comes around, you me ay not have a choice other than if you have a legitimate excuse to vote other means... :)

    After all the hoopla surrounding the US e-vote machines, I'm very happy with my pencil and paper tyvm.

      That's precisely the problem; They still use pencil! If they use Pen then I would at least be assured that nobody can take an eraser to the paper and change my vote!

        You can take a pen with you to the voting booth ya know...

    Its not just as simple as saying, the ATO have internet facilities, or, you can do internet banking why not internet voting. An election is an election, and as we have seen in WA, if something goes wrong, ie. hacking the system, adding, deleting or altering votes, then there is no way of back tracking and getting those votes again. Voting is secret and at the moment of casting a vote it MUST be separated (with NO way of matching it to the elector) from the voter's name. Online voting is a very complicated and controversial issue, and running a full Fed election online is a red rag to a bull hacking wise.

    electronic counting (scanning) of hand written ballot papers on the other hand is a different story. That could definately help avoid these types of issues.

    For all its faults, you'll always have a permanent record with pencil-marked ballots.

      Not when "the AEC declared it had lost around 1400 ballot papers".

    Everyone who is above a certain age and working has a Tax number, and generally it's the working or retired population who need to vote, so why can't they use that number as a secure method of preventing fraud...? Having said that, the guy is right it's not an easy fix and will need some heavy firewalls. Maybe once they perfect quantum computing...? :)

      You forget that the system must be anonymous, it's a difficult problem.
      They system would have to be 100% verifiable while being 100% anonymous.

      Also a TFN doesn't belong only to citizens, it is not secret information (you tell every employer, bank, broker, etc what it is) so it is really no different to name+address as is currently on the roll.

        Yes but I was thinking along the lines of verification for vote and then you could be transferred to actual voting page, because you need to be verified in the fist place. As I mentioned above, I realise it's not an easy problem to solve.

        They system would have to be 100% verifiable while being 100% anonymous.

        That's not actually possible. You can't verify that a vote was made if you can't verify who did it.

          Really? Why not?

          You could have a unique number pool. When someone is verified, you grab a unique (digitally signed) number, and when they vote, you record that number as used. So long as you don't actually log who you gave the number to, you can check the number of identity verifications and number of votes cast.

            And what do you do if those two numbers don't match? Run the election again?

            What I find more interesting, is what becomes possible through data mining if they actually did track who voted what way. For example, if a candidate doesn't win, they could check statistics of the kinds of people that voted against them, and who they did vote for, so that they can change their stance in future campaigns.

              If the numbers don't match, there are a range of possible outcomes.
              1. If the number of votes is greater than the verified number, and that number would be enough to make a difference to influence the election outcome then yes, you have another election. In any case, you get federal police to investigate.
              2. If the number of verifications is greater than the number of votes then that is either fine or problematic, depending on whether:
              a: it is possible to deny service to the voting machine, while not denying service to the verification machine. Yes = bad
              b: it is possible for people to verify and then bail without voting (i.e. informal vote): Yes = difference is less consequential

              If it becomes possible to track who voted which way, then the voting system is fundamentally broken and needs to be replaced. This applies to paper votes as well as electronic votes. It is already pretty well known which social groups vote for which candidates or types of candidates, because of very intensive polling. Campaigns already leverage this information.

    Has anybody ever heard of an eraser, they are used to rub out things when you make a mistake in pencil.
    So this whole pencil-marked ballots are so safe crap everyone keeps spewing about doesn't really make sense.

      There is a big difference between pencils and physical ballot papers being held by electoral officials, where even if they wanted to, changing a ballot paper is 1) noticable because an eraser doesn't make a mark fully dissappear, 2) time consuming 3) presided over by scrutineers from parties and 4) reconcilable against a polling night publicly displayed original figure and internet voting where anyone with the know-how and desire can at the preverbial click of a button change vast swathes of ballot papers or indeed just make them disappear.

    It amazes me that we are in 2013 and we still don't have internet voting. I can't believe that with so many other internet processes that require more security than voting the AEC can't get their act together. It will come eventually, you can be sure of that, I just wish it would hurry up!

    If E voting comes in I want complete control over voting on individual bills in the house and the senate! the people in these establishments have done what their party wants as opposed to the peoples far too many times already. every bill should be decided on in each electorate. and then its just a formality in these 2 houses

      Okay, so while I don't have a link on hand at the moment, I remember reading somewhere that this was tried in one of those online nation things, and it turns out to be a terrible idea, because most people voting know nothing about the issue at hand.

      Also, sometimes a leader needs to make a decision that isn't popular, because it's actually better for the people in the long run. Your idea circumvents that.

    It seems that many people are confusing electronic voting with internet voting. The latter will never happen and the reasons should be obvious. Electronic voting would still require voters to attend polling stations where their name would be crossed off the roll and they would go into a booth. Instead of writing on a paper ballot, they would make their selections on a touchscreen. The computers would either be standalone and networked to a LAN within the polling station, but not connected to the internet.

    There's no reason this couldn't work technically. But the cost of implementing it would be prohibitive. So, we're unlikely to see it in the near future.

      Again, the ACT has had electronic voting in pre-poll polling centres since 2001

    None of the negatives are insurmountable. If the banks can provide highly secure transaction control, then so can the AEC. Worms & viruses can be dealt with the same way, as can real-time updating to make sure a person doesn't try voting more than once. Vote buying or 'bullying' can still be dealt with by using stress checks - methods of making sure the voter isn't under duress while conducting a transaction (for example, having 2 valid passwords, one of which is for use when under duress. The transaction appears to have been processed normally, but in fact it hasn't and the police or other agencies can be notified to investigate).

    The real problem is politics, not technology. Electronic voting opens a Pandora box for the politicians - once general / by election e-voting is enabled voters will be demanding a vote on a huge range of issues, and there will be no legitimate reason why governments could stop them. After all the governments work for us, we pay them, and they are supposed to do what we elect them to do.

    It would change the face of democracy very quickly, and put real power in the hands of the people. No politician wants this, because it would force a much much higher level of accountability onto them.

      There are many, many differences between online banking and online voting.
      If some malware steals $1000 from you, you'll know because you can see that there should be $1000 and there isn't. If your vote is miscast due to some attacker, how do you check that?
      Using multiple passwords for duress is a good idea, but in practice I don't think it would work. People are not good at remembering passwords at the best of times, let alone two for the same system one of which calls police. Especially under duress, that will be a challenge. Not only that, you have the password distribution problem: what means can you use to identify both passwords to the users (and which one is which) that no-one else can demand to see with a gun to the head?

      There are good ways to do electronic voting but not Internet voting; there are no good ways to do that at the moment in my opinion.

    Come on!

    Seriously, all the suggestions comparing tax returns to electronic voting is being a little simplistic. Do you think a foreign power actively cares how much you get back from the Federal Government? They know that if they hacked your tax return and you got too little, you would appeal, and if you seemed to be getting too much the ATO would investigate.

    Lets remember what a vote is. It decides who has political power for a period and the right to make laws. If there was a flaw in the electronic voting system, would is to say a Foreign power would not exploit it to their advantage. And how are you going to give the system legitimacy? At elections, there is never a uniform swing to or from a party on a seat by seat basis. Seats side by side act different.

    With electronic voting and without a physical record, Politicians would be able to say " It is clear the electronic voting system has been hacked, as seat A swung 10% to me and the next seat swung 5% against me. It is clear that this result has been hacked and should be declared invalid". Elections can often be decided by a few thousand votes in a number of key seats, and this is incentive enough for a foreign power to act if there is a flaw.

    This is the issue that the AEC is trying to overcome now.

    There have been a range of ideas about how to do electronic (not Internet-based) voting. Some of them are brilliant: they use cryptographic techniques to provide incredible verifiability of the result, if the machines themselves are not compromised. Seriously, look at Academic Efforts on the Wikipedia page for Electronic Voting.
    Unfortunately, none of them work for preferential voting.

    Electronic voting can be good: it can provide accessibility features (e.g. headphone-delivered names, braille display) without needing a third person. However, the real challenge is ensuring that a machine or software compromise is detectable, and will be detected.

    You must always have a paper ballot in the end, whether that is what the voter marks initially (e.g. like one of those multiple choice exam papers) or whether it is a machine-printed result. The advantage of a voter-marked result is that it is definitely correct, since the person wrote on it. If the machine is printing what the user enters, then the print-out can be wrong. Of course, the flipside is that if the voter marks the ballot and it is scanned, then you can't be sure the machine scanned it correctly. Perhaps the ideal is to have the voter mark a scannable ballot, and then the machine prints what it reads in a footer section. Then the voter can verify that what they wrote and what the machine says it read match.
    You must also keep the paper ballots. If there are claims of compromise, they are the definitive votes. They are what actually count.
    You must have audit teams who are randomly allocated to check paper ballots against electronic ones, and the allocation must be after the voting has closed (so that it is impossible for anyone to find out in advance, and only commit fraud on a subset of locations). Furthermore, the results must be extracted from the voting machines identically whether they are being audited or not.

    There are other things which can help: having source available for review, etc (like it is for the ACT voting machines). However, the best approach is to check a subset against paper, and to do so in such a way that the machine never knows whether its data is being audited, and no-one knows in advance what or where will be audited.

    Why can't the voting ballots be in "fill in the dot" format.
    Each ballot paper gets numbered using a barcode or QR code that won't be human readable.

    People fill in the dots, place their ballot paper in the box like usual.
    When it comes time to count, the ballots go through a machine that reads the dots and determines your vote and preferences. It also checks the code to confirm that the ballot paper has been used (this should detect duplicate, invalid and missing ballot papers).

    The machine should have every vote's preferences, so the whole process of running through the candidates should only take a very short time.

    There would only need to be a couple of machines per electorate, as votes from different polling places can be transported to a central polling place. Remote polling places typically only have a handful of votes so manual counting can still be an option.

      how exactly would a person vote below the line by filling in dots if the electorate had over 100 candidates?

      You can do this, but you need very, very good audit procedures. Otherwise you end up with a 'hacking democracy' scenario (i.e. a hack on the memory card of an optical scanning voting machine which results in a faked outcome: see this annoying but offputting video)

        The ballots will still be kept, so there is a paper record of each vote. If there is any dispute, the ballot papers could be put through another machine, or manually recounted. As each ballot has a unique code, any discrepancies between two machines could be picked up by the system.

          Certainly keeping the ballots is essential, but I actually think manual counting of a randomly selected subset is also essential (where the random selection is determined after the initial results are printed or otherwise recorded). If all the scanners are compromised, then you can't just put papers through another machine to cross-check.

    The problem is - who defines and implements a tech-only solution architecture...
    e.g. not the guys that specify speed camera policy or airport security strategy.

Join the discussion!

Trending Stories Right Now