[E-voting] Appeals to the Information Commisioner - progress and obstacles

Colm MacCarthaigh colm at stdlib.net
Mon Oct 30 01:35:48 GMT 2006


On Sun, Oct 29, 2006 at 10:23:50PM +0000, Joe McCarthy wrote:
> So the question is - could the information I'm seeking make it easier to 
> commit an offence in Ireland?

No. Having seen and performed the attacks in question personally, I find
it hard to see how any information could possibly make it any easier. 

> Firstly, given the recent hacking of a Nedap machine in Holland, the 
> Commissioner may decide that the records at issue are exempt from 
> release under section 23(l)(c) of the FOI Act -whereby a record may be 
> refused where access to it could reasonably be expected to facilitate 
> the commission of an offence.

It can also be argued that not releasing the material can be reasonably
expected to facilitate an offence. Without basic democratic scrunity of
the procedures involved, corrupt officials may be all the more free to
tamper.

If the nature of this information somehow represents a threat then
keeping it closed creates a two tier system; those who possess it and
must be blindly trusted, and those who do not and have no oversight.

The real world risk of an offence can only be lessened by the disclosure
of this information, as it can then be more broadly assessed and any
weakness mitigated against.

Only in the irrational scenario where the administrators then ignore all
sensible advice given to them does a real risk arise, and it should not
be the job of the information commissioner to molify such concerns.

Furthermore, it can also be argued that it is not reasonable to expect
these machines to actually ever be used, so the concern is without
merit. The Commission on Electronic Voting have already made
recommendations which involve modifying the hardware, including
attempting to defend against the threats demonstrated by the Dutch
group. The government have committed to the recommendations of the CEV,
and so again, it is not a reasonable expectation.

> This is not to imply that you might commit an offence -however, it must 
> be borne in mind that release of information under FOI is akin to the 
> release of information to the world at large. It seems to me that the 
> key to the application of section 23(l)(c) is not the issue of who might 
> commit an offence, but whether the commission of an offence could be 
> made easier by the release of the information at issue.

That argument can be made for any information.

> Given that hackers infiltrated the Dutch system using information 
> contained in the Commission on e-Voting Report, I am of the view that 
> the information in the records under review in this case could 
> reasonably be expected to facilitate further hacking. Thus, release of 
> the records could reasonably be expected to make it easier to commit an 
> offence (a person being guilty of an offence, under section 2(1) of the 
> Electoral (Amendment) Act 2004, if they wilfully and without authority, 
> interfere with any voting system equipment).
>
> Significantly, should the Commissioner be satisfied that section 
> 23(l)(c) applies in this case, the records will remain exempt from 
> release to you because section 23(l)(c) does not require the 
> consideration of the public interest.

What a complete load of crap.

> Section 27
> 
> Apart from the prospective application of section 23, it also seems to 
> me that the above records contain technical information the release of 
> which could prejudice the competitive position of the producers of the 
> Nedap voting machines. You may argue that the recent hacking of the 
> voting machines in Holland means that the competitive position of Nedap 
> cannot be further prejudiced through the release of the above records. 
> However, it seems to me that the release of the records would involve 
> the disclosure of information not already in the public domain, which 
> could indeed further prejudice Nedap's competitive position. 
> Accordingly, I would accept that section 27(l)(b) applies.

Is this the Information Commissioner saying; "These clowns are actually
more incompetent than you already think they are?" 

> However, it seems to me that there is a further public interest 
> argument to be considered -that of preventing the disclosure of 
> information that could facilitate the commission of an offence, which in 
> my view, is a very strong public interest in support of the information 
> being protected.

That is the stupidest argument I have ever read from Emily O'Reilly.  If
she's bound by the statute that's one thing, but to claim that there is
a very strong public interest to be served in denying people access to
material on how elections are run is mind-boggling.

Based on my reading of her letter, I think three key arguments need to be
made;

	An attack on the reasonableness of the expectation. This really
	is only avenue open to challenging such a decision.  I don't
	think that it is a reasonable expectation, because the
	commission have recommended (in a vague hand-wavy way) "changes"
	and "improvements" which would somehow defend against the Dutch
	attacks. While we all realise the meat of those recommendations
	are unimplementable with the Nedap system (and imply ditching
	them), nevertheless in theory they could be, and - importantly -
	the Government have accepted the recommendations of the CEV.
	So, it not reasonable to expect that the release of current
	material could create a risk.

	Once making that argument, another one is needed arguing that
	the statute should not be intepretted to prevent the release of
	materials because an offence might be committed almost anywhere
	in the world. Also, the burden of risk should be much higher.
	It's easy to see how the release of almost any information could
	be "reasonably" expected to facilitate the commissioning of an
	offence. The revelations involved in many could lead to
	recriminations and so on. It is trivial to imagine circumstances
	in which a crime might occur. It should require instead a
	specific assessment of the real risk involved.

	The system has been so thouroughly reverse engineered by the
	Dutch group that there is hard to see what further information
	could be neccessary to hack it any more. The system uses
	standard industry components, standard processors, and the
	software has been entire disassessmbled and analysed. Each
	component, register and button has been accounted for. As it is
	demonstratably trivial to compromise these machines, it is hard
	to see how any further information could make it easier or
	increase the risk.

Maybe specific information like the wherabouts of the machines, or the
model-number of the key for locks should be redacted, but that's about
it.

Still, from the tone of that letter, I doubt there's much chance
of winning that appeal :/

-- 
Colm MacCárthaigh                        Public Key: colm+pgp at stdlib.net



More information about the E-voting mailing list