August 8, 2022

How NOT to Assess an E-voting System

by Vanessa Teague, an Australian computer scientist, cryptographer, and security/privacy expert.

(Part 2 of a 5-part series starting here)

Australian elections are known for the secret ballot and a long history of being peaceful, transparent and well run. So it may surprise you to learn that the Australian state of New South Wales (NSW) is home to one of the world’s largest Internet voting projects, second only to Moscow’s by absolute number. In the 2021 New South Wales local government elections, 652,983 votes were received from the Internet, including more than one third of votes for the Sydney city council.

The system suffered substantial downtime throughout polling day and the day before. There is no way to tell how many voters were disenfranchised. Electoral Commission estimates give a total of about 20,000 people who registered to use iVote but did not receive a voting credential in time to vote. About half of these probably voted on paper; the rest were disenfranchised. In many councils, the number of disenfranchised people was enough to change the election outcome. As a consequence, the Supreme Court of New South Wales voided the results in three local councils, though the results are highly uncertain in many other councils too. 

iVote has had serious reliability issues and security concerns since its inception. The protocol does not provide any genuine verification, either for the voter to check that their vote reflects their intentions, or for election observers to verify that the complete set of votes has been properly included and decrypted. In 2015, Alex Halderman and I showed that it was vulnerable to an Internet-based attacker who could take over the voting session and substitute a different vote. In 2017, a different set of colleagues found that a version of the vote could be decrypted directly by the server. In 2019, when Thomas Haines, Sarah Jamie Lewis, Olivier Pereira and I found serious cryptographic errors in the Swiss Internet voting system, the NSW Electoral Commission announced that iVote had the same problems

Unlike Switzerland, NSW attempted no serious reassessment of either the regulations or the system design. Even when their appointed auditing team raised concerns about hardcoded passwords, a possible opportunity to delete votes without detection, and inadequate procedures for ensuring that the executed code matched the audited code, the NSW Electoral Commission simply ran iVote again in 2021. No regulations were altered, and they continued to threaten jail time for sharing the source code, though the sharing of source code in Switzerland had led to the identification and correction of serious problems in NSW.

We don’t have demographic or political data, either about who tried to use iVote or who was most impacted by its downtime. We do know, from NSW Electoral Commission reports, that about half of the voters affected by iVote’s downtime went to a polling place and voted on paper. This is extremely unlikely to be a random half—most probably, it was the well-off, healthy voters without caring responsibilities, long working hours on a Saturday, or physical or mobility challenges. The people actually excluded from the franchise by iVote’s downtime were people who were not easily able to suddenly make alternative arrangements, who probably included the more disadvantaged people often used as a justification for running Internet voting. There would have been some who were not able to vote on paper under any circumstances (such as those with physical disabilities) and those who suddenly found themselves under covid isolation orders despite intending to vote in a polling place. These people had no other voting option in NSW (the voters with disabilities should have been offered a verifiable voting option, but they weren’t). However, some of those disenfranchised by iVote’s downtime were people who would have had ample opportunity to apply for a mail-in vote, if they had known in advance that iVote would fail. Unreliable voting systems are most damaging to the voting rights of the people dependent upon them.

The main long-term consequence of iVote’s downtime is that NSW elections will become much more secure and trustworthy because they will stop using iVote.

Internet voting is not part of Australia’s proud history of innovative electoral progress. It is more accurately seen as part of a pattern of public-sector disregard for electronic security and privacy, which includes driver’s licenses, health data, and covid-tracing records. Serious, evidence-based security concerns were repeatedly ignored.

By the time the reruns & possible lawsuits are settled, it will be much more expensive than running the election properly the first time.

Undetectable fraud remains the primary concern. The worst thing about this election was not that ten thousand or more people were disenfranchised, but that 652,983 votes were included in the tally without the slightest evidence that they accurately reflected the voting intentions of eligible voters.

(Next part: How the Swiss Post E-voting system addresses client-side vulnerabilities)