[E-voting] Commission on Electronic Voting

Adrian Colley aecolley at spamcop.net
Thu Mar 11 19:04:19 GMT 2004

On Thu, Mar 11, 2004 at 11:48:46AM +0000, Cian wrote:
> I figure we should get a nice, professional submission in as soon as possible.
> We have a tonne of information to put in it, though - what do people think we
> should prioritise?

I'll quickly blurt out the thoughts I've jotted down on this, just to
make sure each point is thought about, not as a serious draft:

(Outline of the submission)

Introduction - task and setting.
	The Commission's task is similar to that of the Supreme Court
	on an Article 26 reference.  The proposed system is to be
	evaluated and approved or rejected in a vacuum and on a limited
	timescale.  At least the Commission is explicitly allowed to
	hear evidence!  The proposed system has a fundamental design flaw
	which, despite widespread credible documentation, has been neither
	recognised by the DoEHLG nor accepted by the vendor.

Threat - tampering scenarios.
	The most low-level chapter, in which the technical problem
	itself is discussed:

	VM reprogramming (by manufacturer, by insider, by intruder)
	VM hardware redesign (by same attackers)
	Seal counterfeit/repair/theft/misappropriation
	PC reprogramming
	Rewriting module in PRU
	RO mistakenly sealing machine without impractically-full inspection
	Only two seals - no independent sealing by opposition candidates

Implementation - lack of mechanism to prevent threats.
	This includes analysis of the requirements of elections and
	the capabilities of computers, including the theoretical
	limits making secure DRE impossible, pointing to the necessity
	for a VVPB.

Engineering - faulty analysis and consequent defective design and test.
	Requirements analysis failure to identify voter verification.
	Quote vendor from JCELG 2003-12-18 giving insight into analogues
	(e.g. ballot record for ballot paper) which formed basis of
	specification.  Explain how failure to capture requirements
	leading to customer rejection is common in industry (need
	examples).  Show how Nedap experience typical.  Condemn vendor's
	claimed "audit trail" and question mindset of its designer.

Project management - faulty planning failing to uncover engineering defect.
	Evaluation based on amateurly designing whole process, then
	dividing it into six nonoverlapping parts, each for a different
	consultant.  Focus on lack of expertise in system integration,
	and consequent neglect of need to validate whole system.  Also
	point to extant research and published statements on e-voting
	security from ACM, Mercuri et al., and ask why no attempt was
	made to validate vendor's claims by looking for such opposing

Cited evaluations - each one analyzed w.r.t. security.

Project planning - failing to consult.
	Inception of e-voting project in DoEHLG still a bit mysterious.
	No consultation with public involved, which might have brought
	problems to public prominence much earlier.  Must wonder why
	no evaluation on such a fundamental change considered necessary.
	(FoI documents may be enlightening here.)

Responsibility - failing to take objections seriously once raised.
	A very serious matter (possibly outside the commission's remit)
	is the way in which DoEHLG handled valid criticisms of the
	system.  Early dismissals as idle Luddism are understandable
	and perhaps forgivable; later rejections of well-founded
	research with material misrepresentations both as to the
	features of the system and the details of the research are
	not, and indicate bad faith (IMHO).

Initiative - improper process of selecting vendor and evaluation strategy.
	The tech was chosen before the Bill was introduced, the money
	was spent before the contract was signed, and the process of
	evaluating the equipment was chosen in a way which happened not
	to examine the faulty aspects of the system's design.  Does it
	appear that the vendor was chosen first and that everything else
	was chosen to suit the vendor?

Legislative - insufficient airing of Bill, confusion with other matters.
	Although the problems with the system were identified on the
	first day of debate on the Electoral (Amendment) Bill, 2000,
	they went unheeded by the bulk of the Oireachtas, concerned as
	they were with the other weighty and controversial matters
	collected into the omnibus Bill.  Insufficient care was taken
	in scrutinising the Bill before passing it (which was, in the
	end, by guillotine in both Houses).

Constitutional - shift of burden of proof from officials to objectors.
	The secrecy of the ballot is constitutionally required, and so
	is the integrity of the ballot.  The secrecy requirement must
	be satisfied not on the balance of probabilities, but to the
	satisfaction of any reasonable voter (must get the exact
	wording from the judgement).  The integrity requirement is
	similarly critical and needs similar protection.  The proposed
	system shifts the burden of proof (of ballot integrity) onto
	the voter or candidate who feels aggrieved, without allowing
	for any meaningful investigation that could establish such proof.


GPG 0x43D3AD19 17D2 CA6E A18E 1177 A361  C14C 29DB BA4B 43D3 AD19

More information about the E-voting mailing list