[E-voting] OSCE/ODHIR report about Belgium
dglaude at poureva.be
Thu Nov 30 22:20:05 GMT 2006
I am very proud to introduce the first english spoken article on
PourEVA/VoorEVA (should I say ForEVA?):
It is actually just a SPIP dump of the PDF/HTML version of the report of
OSCE/ODHIR expert comming to visit the Kindom of Belgium for local
election on October 8 2006.
I must admit I have not read it all (it is rather short, borring for me
to read, I spended more time to copy and past into SPIP than to read
it... I leave it for another day).
I don't think it will be usefull for you to use, but it repeat somewhere
the fact that without "audit trail" there is no way to recount. It also
say I guess that there is no much to observe.
It is however nice for me to have an english description on how eVoting
work in Belgium. However there are some flaw in the description of the
process... If you don't mind I will correct it here and talk
specifically on what went wrong in Ixelles (Brussels region) and the
reason why we contest the election result there.
> Stages of the process
> In each of the three regions :
> * The process starts by selecting the firm in charge of updating the
> software, through tender or other means. In the case of local elections,
> the regional Ministry of the Interior (MoI) is responsible for choosing
> the provider. The firm STESUD won the market in all three regions. 
> * The software produced by the firm is then submitted to an audit. The
> audit was carried out by Bureau Van Dijk in Brussels Region, Price
> Waterhouse Coopers in the Flanders Region and Control Service Solutions
> in the Walloon Region.
> * The audit report is then handed to the regional MoI. It is not public.
> Based on the audit report, the regional MoI certifies the conformity of
> the software.
=> It should be public... transparency.
> * The software is stored on CD-Rom and kept in a bank safe. Two copies
> are made of it, in front of the regional College of Experts. One copy is
> handed to the regional MoI and the other is given to the College of experts.
> * The College of Experts perform their own compilation of the source
> code and compare the outcome with the executables provided by the vendor.
=> In the past the College of Experts was relying on the vendor to
provide the compiler because some code were written in a proprietary
language. Also in the past, one compiler in use was producing each time
different binary because there was a time stamp in the binary (it is not
fun for MD5).
> * From its copy, the MoI gives the source code of the software to
> political parties contesting the elections.
=> This part sound theoretical... as far as I know, no party did ever
request a copy of the code even if they have the right to send one
expert that will be bound by secrecy. The president of the College of
Expert for the Brussels Region did say on a testimony that no one but
the company providing the software, the regional MoI, the audit company,
the College of Expert have access to the code... who is wrong?
> * Once the period for candidates to apply is closed, three to four weeks
> before election day, the lists of parties and candidates are inserted in
> the software. Screens showing the candidates lists are printed and
> signed in each Commune by the Justice of the Peace who chairs the main
> electoral office of the Commune (Bureau Principal de Commune).
> * From its copy of the software, the regional MoI starts preparing sets
> of floppy discs to be used in each polling station (one master disc and
> 2-3 backup discs). The floppy discs are encrypted using AES Rijndael
> encryption standard. For each set of floppy discs, the MoI generates a
> password which is unique to each polling station.
=> Actually I do not believe that the floppy is encrypted, only a few
files that are the input of the system such as the party/candidate list
and a few files at the end that are the result.
> * The password is used as a cryptographic key for encrypting software
> and election-specific information (candidates etc.) on the disc.
> Passwords and floppy discs are sealed in different envelopes. As a rule,
> the package for each polling station comprises an envelope containing
> the discs and an envelope containing the password, both being attached
=> Please note that it is totally silly to put the password next to the
disc. Those two envelopes should be keep separate as much as possible
with one of the two reaching the president only at the last minute. Also
spotted by the Brussel's College is the fact that the envelope were not
sealed but they were glue in such a way that you can not detect if it
was open or not.
> * Polling Station Chairpersons receive the set of floppies and the
> password to be used in their polling station on the eve of election day
> or in the morning of election day, usually with a set of magnetic voting
=> The law say something like "no more than three days before the
election". In Brussels region, specifically in Ixelles, the floppy and
code were not given to the Polling Station Chairpersons, but it was keep
by the local authority (and it was a local election). The local
authority that by law should instruct the Chairpersons gave them
invalid, illegal instruction and offered them to sign a paper saying
that the local authority could keep the envelope (both) and open them in
the absence of the Chairperson... in order to start the voting computer.
51 out of 52 Chairperson did accept the offer to have more sleeping time
on the sunday morning of the election. It is not clear who started the
voting machine and there is no way to proof witch software was running
in the computer. Some computer were started in front of the Chairperson,
but not in front of the whole Polling Station Team (and partisan
whitness). Let's say that all the security in place have been override.
We are currently trying to cancel the election in Ixelles because one of
our member was candidate (only candidate can claim that the election
result must be invalidate) and was party witness (and since he is in IT
and member of PourEVA he knew something was going wrong). We don't know
if there was a fraud... but everything was in place so that the local
authority had access to: the hardware, the software, the password...
> * On Election Day, each polling station Chair opens the envelopes and
> uses the password to decrypt contents of the disc when starting up the
> voting machines and the ballot box. The passwords remains in the memory
> (RAM) of the ballot box.
=> This went wrong in Ixelles.
> * Before opening the polling station to the public, reference votes are
> made for each e-voting booth using four to six initialized magnetic
> cards. These votes are random and non-blank in order to assess the
> correct functioning of the voting machine software if needed. Chosen
> reference votes are recorded in a given paper form. This paper with
> magnetic cards used for the reference votes are enclosed in an envelope.
=> In Ixelles, the Chair where instructed to do blank vote for all of
the reference vote. Reverence vote are meaningless because they are not
verified most of the time, when they are verified... it is with the same
software that did write on the magnetic card... those vote are always
the really first vote of the voting machine so someone attempting a
fraud will not modify that vote. [However the College of Expert made 2
reference vote during the election in Ixelles... 2 voting machines where
they were more than 300 voting computer for Ixelles]
> * Voting computers are discless. They are booted from the floppy discs
> and run during election day on the floppy discs. In each polling
> station, the same unique encryption key is written in the voting
> software, and in the software used for both the initialisation of
> magnetic cards and their reading by the ballot box.
> * When voters insert their card into the electronic ballot box, votes
> are read out from the card, saved in RAM and also in the floppy disc of
> the ballot box.
> * The main purpose of writing votes on floppy disc is that in case of
> power loss, accident rebooting or malfunctioning of the electronic
> ballot box hardware, it can be restarted from the floppy disc with
> (encrypted) votes on it.
> * Votes stored on the ballot box floppy disc are encrypted with the same
> password of the polling station. When voters insert their magnetic
> ballot card into the ballot box, the ballot box software recognises the
> polling station password, and stores the content of the card in the box
> memory. Cards which have not have been initialised with the right
> polling station password are rejected by the ballot box.
> * The ballot box programme randomly stores the still encrypted votes in
> its memory in a database file, so that votes could not be identified
> from reconstructing the order in which they have been inserted in the
> box. 
=> The footnote say that not everybody agree with this .
> * After the end of voting, votes are summarized in the electronic ballot
> box following a special procedure. The generated summary of the votes is
> encrypted with the same password of polling station. Several backup
> discs are made.
> * Vote tabulation is performed generally at commune level (for municipal
> elections) although there might be multiple levels of counting involved.
> Presidents of the voting stations are supposed to physically bring the
> discs with summarized encrypted votes on it together with the sealed
> ballot boxes to the commune main electoral office.
Actually, the ballot boxes stay in place and are given to the commune.
They are only transported if all the floppy disk are not readable or a
"recount" must be done.
> * Discs containing the tabulation software are also prepared centrally
> by the MoI. The same scheme is used - software and election-specific
> information is encrypted by key/password for each individual tabulation
> place with secure password delivery.
> * There appears to be two modes of handling the encrypted disc from
> polling station - automatic and manual. With the manual mode,
> station-specific password must be entered. With automatic mode there’s
> no need for the password. This implies that the tabulation software
> discs can recognise passwords for each polling station of the commune /
> area. Also, a printed list of passwords for each polling station is
> available in practice for the manager of the tabulation office.
=> So much for the password... actually there is a password database in
the tabulation software so that you don't have to encode them one by one.
> * The tabulation software is designed so that it does not output
> intermediate results before the vote summary from at least three
> individual polling stations are entered. They can add together the
> results of up to 30 polling stations and only deliver the aggregated
> results .
> * If needed, it is possible to recount the votes of a particular polling
> station by unsealing the ballot box, initializing its software and
> inserting again all the magnetic cards it contains.
This is virtual recount as there is no way to verify that the vote on
the magnetic card are not altered by the voting software or by the urne.
I hope this report will help.
I know that OSCE/ODHIR sended as much as 8 peaple in the Netherland.
I still try to find out:
* If Germany had enough signature on their petition?
* What is the status in Itally?
* If something went wrong in the Netherland election?
More information about the E-voting