Votingcomputer: the zombie that just won’t die

<originally a Webwereld column>

U heeft gestemd - of niet?

Last month the VVD and D66 political parties (the Dutch equivalent of the Conservatives and LibDems in the UK) again proposed that the Netherlands should re-adopt electronic voting. Earlier this year the Dutch Association of Mayors also called for their reintroduction (don’t you just love it when non-elected officials comment on and interfere with the electoral process :-). While the use of voting computers in the Netherlands has been banned for over four years, even for water board elections, there remains a fundamental misunderstanding of the basic problem with electronic voting.

While the many clumsy security problems (video) or the absence of the source code of the software (in the case of Nedap and SDU voting computers), are excellent talking points for the media and political agenda, these issues are not the core of the problem. And although the voting computer dossier at the Ministry of Home Affairs is now labelled with a bright fluorescent sticker: ‘radioactive, do not touch!", there is still a risk that local authorities or suppliers will continue to feel that voting by computer is best "if we can just iron out a few little bugs”.

The real objections are more fundamental and have little to do with security bugs or open source code. They are the fundamental principles underpinning our democracy, and are threatened by the use of voting computers. In the many discussions on mailing lists and web forums it seems that people have lost sight of these principles.

In the first year of operations of the wedonttrustvotingcomputers work group, there were many reassurances given by government and suppliers that we should not be so suspicious. The Netherlands is a great country, after all, and the suggestion that anyone would commit fraud with something so fundamental as the election was considered ridiculous. It was simply unthinkable, and further discussion or justification not considered necessary. This attitude demonstrates a fundamental misunderstanding of the essence of democracy. That is not a question of trust but distrust of organised power.

Through trial and error we have learned over the past few thousand years that power corrupts, and absolute power can corrupt absolutely. An enlightened dictator can be an efficient form of government, but how do you ensure they remain enlightened once they have the power? To solve this problem we have evolved a complex system of temporary mandate (four years), with checks and balances as the need arises. You can only gain power if the majority of people have said that they really want you there, and even then you will be closely monitored by 150 other people who are also only be allowed to do so because of the vote of thousands of fellow citizens. The system is far from perfect and is plagued by inertia and a focus on what is hot in the media, but we have yet to invent something better. This system makes it difficult to take important decisions publicly without authorisation. And a king or president cannot simply on a whim ruin the country or violate the fundamental rights of citizens – unless those citizens and their representatives agree to it by inaction, but then they only have themselves to blame.

The abuse of power cannot be solved by online publication of a voting computer’s source code because citizens cannot determine whether the published source code actually runs on the specific voting computers in their neighborhood. Even more important is the fact that 99.99% of the population cannot audit the code. Inevitably, it still comes down to having confidence in a very small group of technical experts. And having to trust a very small group (any small group whatsoever!) is precisely what we no longer want. If we have small groups of technicians whom we trust, we might as well make up the parliament based on a sample of a research firm. That saves a lot of time and paper and there is probably a great evening of TV programs that can be built around it.

It has often been said that paper ballots can also be fraudulent, with elections in places like Zimbabwe cited as examples. The important aspect here is not the possibility of fraud but the possibility of detection when it happens. Large-scale, and therefore effective, fraud in a paper voting system is impossible to keep secret and that makes it possible to intervene when small groups try to exploit the system. In most cases, fraud with voting computers is impossible to prove afterwards. The records are erased and there are no ballot papers available for another recount.

This was proven painfully during a local election where the candidate eldermen was also the operator of the voting computer. In the polling station where he was present he received an unlikely number of votes (higher than all other locations in the municipality combined). Yet the justice department was hard pressed to find actual evidence against this potential fraudster. Nor could the man ever prove his innocence. The result is therefore a situation where the integrity of the process itself is called into question, and thus the legitimacy of the ballot. The distinction is thus the detectability of fraud, not the (im)possibility of it.

Even with electronic voting with a printed ballot (the so-called ‘paper trail‘) there can be doubts about the results, and applications for a recount of a paper trail is also an immediate political issue (against winners, losers). At what point do we initiate a paper recount? Which sample is good enough for the loser? How do we determine that there is reason to doubt the electronic result? Is there a basic assumption that the computer counts accurately? So there are inevitable administrative and political barriers to requesting a recount. This, combined with the fact that polling can provide the perception of a "winning" coalition in the Netherlands, makes it attractive to manipulate voting computers. What is it worth to control the election of the 20th largest economy on the planet?

Despite minor incidents with the paper system, the integrity of the Dutch paper voting process has never been the subject of discussion. And even the Interior Ministry and TNO had to admit, after some urging from external experts, that the previous generation of voting computers was not compatible (nor had it ever been compatible) with the Dutch electoral law.

TNO hid the fact that the validation protocol of the integrity of the system had not been examined. Both the responsible officials and TNO’s "experts" were simply not competent to deal with this issue adequately. The OV-chip, EPD and the Diginotar dramas were repetitions of this incompetence, displaying no understanding, no adequate assessment frameworks, and no substantive oversight. And , of course, nobody is held responsible when things go wrong. After voting machines were banned, no civil servants  and TNO employees were sacked for their screw up. Therefore there is very little confidence amongst external experts that future assesments on a different technical ‘Solution’ will be adequate.

We must prevent a situation where the integrity of the electoral process itself can be questioned, and thus the legitimacy of the outcome. The vital distinction is the ability to detect fraud, not the (im)possibility thereof. Voting computers create serious problems, are more expensive that the use of paper, and undermine the legitimacy of democratic governments. And as Churchill said: ‘Democracy is the worst form of government, except for all those other forms that have been tried from time to time.’

(this column is a re-write from a 2008 publication I wrote for a Dutch magazine on digital government – now disapeared after site redesign)

 


XKCD on voting computer security