Electronic voting may be risky, but what about vote counting?


This article is by Robert Merkel, Director of UWA Centre for Software Practice, University of Western Australia. It originally appeared on The Conversation.

opinion/analysis Several advantages of online voting were identified in a recent post by Conversation columnist and software researcher David Glance who backed the introduction of such a scheme in Australia.

He is correct that an online voting system would be faster, more convenient and have fewer accidental informal votes. It would also reduce the donkey vote problem (though the “donkey vote” bias can also be dealt with by the use of Robson rotation on printed ballots).

But in my view he dismisses the very real risks not only of actual election tampering, but something equally important – the confidence that Australian elections aren’t being tampered with.

A vote-counting system not only needs to be secure against threats to its integrity, it needs to be seen to be secure against such threats.

The right technologies, deployed in the right way, can assist with speeding up vote counts without putting the integrity of our voting system at risk. The place for that technology is not as a replacement for the paper ballot.

Voting is not like paying your bills

Most Australians conduct many financial transactions online, such as paying bills or online banking, with a reasonable degree of confidence.

But while these systems do work acceptably well most of the time, there is a steady stream of fraud committed against them. Some estimates put the cost of cybercrime in Australia at around A$2 billion annually.

Furthermore, there are some key differences between voting and financial transactions which will make electronic voting harder to secure.

For example, financial transactions are private, but not anonymous, and they are conducted on a continuous basis, not once every three years or so.

The two parties to a financial transaction can see how the transaction is interpreted by the financial institution involved, and can report any problems.

Any fraudulent financial transactions can often be reversed or compensated for on an individual basis. If an online election is found to be unsound, the only remedy may be to rerun the election.

Further concerns over online voting have been raised elsewhere on The Conversation.

Confidence in elections is social, not just technical

If we propose to radically change Australia’s vote-counting system, we should at least do so only after fully considering the nature of the existing system.

It’s pretty widely acknowledged that Australia’s vote counting system is generally accurate and not subject to widespread tampering. So let’s ask the question: why do we have confidence in Australian elections?

Partly, it’s by direct observation as voters: as we vote, we also observe the process. We see the ballots, we see them being placed in the ballot box. But it’s also through our network of relationships.

Many Australians would probably know one of the 75,000 temporary poll workers. Those more interested in politics are likely to know a scrutineer, a representative of a party on the ballot who directly observes the vote counting.

Confidence in Australian elections is therefore the result of the observations of a large fraction of the Australian population. The confidence that a conspiracy to rig a vote involving many ordinary Australians is beyond the realms of plausibility.

While all manner of other conspiracy theories circulate on social media, election-rigging conspiracy theories are almost unknown in Australia.

An online, or even an electronic voting system in polling booths, would shift the responsibility for electoral integrity to a tiny technical elite with the time and skills to audit the voting technology used.

We are supposed to trust both their personal incorruptibility, and their competence. Serious security flaws are often missed by such professionals until they have been systematically exploited by criminals.

Automate the count, not the recording

People with disabilities have been among the strongest advocates for electronically aided voting, for good reason. But that does not mean that paper ballots should be discarded to this end.

With the right technology, instructions expressed by voice commands, a touchscreen, or whatever interface the voter can use unaided can do the job of marking their ballots. That way voters with disabilities will be able to vote with the same level of privacy and autonomy that others take for granted.

Regardless of how they are marked, paper ballots do not necessarily need to be counted by hand. Senate ballot papers are currently being counted with the assistance of handwriting recognition systems similar to the ones used to read postcodes on hand-addressed envelopes.

The present system is only semi-automated, in that every ballot scan is then checked by a human operator.

In the future, it is likely that the system can be refined so as not to require every vote to be human-verified. For instance, using two or more independently implemented automated counting systems, combined with randomised spot checking by AEC staff and scrutineers, may be sufficient to ensure an accurate count.

This would allow much faster initial Senate counts but, if there is any doubt, a hand recount is always possible.

In the United States, which uses a wide variety of vote-counting technologies, the one most favoured by academic experts is optical scanning ballots. Many people would have come across these in multiple-choice tests such as driving tests: you fill in the box corresponding to your choice.

These work very well in the American context. They are fast, accurate and can be hand-counted in case of a technical problem or dispute. But American elections do not use the preferential voting system.

Designing a system and educating Australians to use this kind of ballot for preferential votes would present a significant challenge and would probably result in a high informal vote.

In any case, expert opinion is clear – no voting system that relies on electronics to record votes, including systems that produce some kind of human-readable audit trail, has any substantial advantages over paper and pencil (or, perhaps indelible pen).

Even the inventor of the “voter-verified paper audit trail”, Dr Rebecca Mercuri, has concluded that such systems are inferior to paper ballots marked by the voter.

By Robert Merkel, Lecturer in Software Engineering, Monash University This article was originally published on The Conversation. Read the original article.

Image credit: Australian Election Commission


  1. NSW already have one. Someone was unable to vote because of a “bug” in the mobile web view redirecting them to the practice page. I had to complain for them on the AEC page.

    At the last election someone audited the vote system and found they were CDN loading jquery files making it vulnerable to DNS attack. There was other compromised issues but they kept it running like nothing mattered.

    Worse I went to take a look at the system myself again as I found it to be compromised last election.

    They have minified javascript files, you can read what the bloody system is doing running it through jsbeutify in chrome. This is shocking and a disgrace they need to scramble that code.

    I highly doubt they got security consultants in to audit the system and exploit test it at all.

    As far as accessing the system what about issued browser certificates to get access ? Everyone can see the system right now including bots.

    • Regarding CDN hosted Javascript libraries, I think you are overstating the attack surface.

      You cannot “DNS attack” the libraries, because they will be loaded over HTTPS.

      In order to DNS attack (transparently) you would need to:
      1) Hijack the DNS for a major CDN. (presumably major CDN, and hijack the DNS on your target audience)
      2) Social engineer a Certificate for the Major CDN from a certificate vendor, (not impossible, some pretty big domains have had fake certs created in the past, no one is immune).
      3) Not be detected doing any of these things.

      1 and 2 are pretty hard. (perhaps an understatement?) by no means impossible, but the incentive?
      and 3, there are whole fields of statistics that can pretty much identify systematic election tampering.
      given the “pay off”, I would do 1 and 2 on a major bank, and steal a billion dollars because even if discovered 2 weeks later through statistics, they can just re-run an election. They can’t “Unsteal” my billion dollars.

      Finally, security by obscurity (code scrambling) is not security. You cannot “scramble” code in any way that still works, without it being reversible. Remember; you are talking about people willing to go to the effort to do high-risk tasks like DNS Hijacking and SSL Cert social engineering, and you think they would be against putting in the time to reverse engineer some obscured code?

      Finally: Browser certificates? For every voter in Australia?

      Good luck with that.

    • I’ve seen some stories in recent times about blockchains being looked into for a few things that would need similar levels of security trust.

      I dont understand them enough to know how secure they are, but from what I can see it pretty much comes down to the nodes controlling the chain. If THEY are secure, everything else should be secure.

      In general, I cant see whats so hard about getting online voting working anyway. For 20 years the ATO was able to provide a secure lodgement system for tax returns (cynical opinions notwithstanding, eTax was a very successful platform for what it was trying to do), which I’d argue would be wanting more security than an election. At least as much for anyone that disagrees.

      I cant see why you cant do something like that through MyGov. The biggest issue I can see with online voting would be server load. Hard to prepare for 20 million people to hammer a server on the same day, thats just screaming DDOS.

      Alternatively, set up the booths as electronic and capture the information there to automate the counting. It doesnt need to be online, it can be synced at the end of the voting period easily enough and uploaded directly to AEC servers. Thats been doable for decades. By being offline, you also allow for paper votes if people want to (or are confused with that gadgety stuff) as an alternative.

  2. Ballot verifications are the thing that really need to be solved from any putative e-vote system. i actually dont mind the optical scan as there is a hard copy arrangement there as a backup to the electronic recording. but there must be a clear delineated process for ballot check and verify and to me that says there must be – from the initial vote moment – hardcopy. anything not making provision for that will not satisfy me.

    Blockchains with 2 factor may possibly satisfy but i would want a clearly explained system first, rather than trial-at-vote.

    the big worry with a technical system like chains is the ordinary numpty on the street wont understand it and therefore wont trust it.

    • Its pretty easy; regardless of what method you use all you need is vote “verifyability”

      That is to say; when you vote (be it hard copy or electronically) a unique, non identifying code is given to the voter. They can keep it (write it down, memorize it whatever), or not (gets destroyed ASAP anonymously)

      After the election result is announced (or during some fake “counting duration”) you can take that code, and verify that your vote was posted to the list as “the order and people that I voted for”.

      After the election; you publish every single vote and every single non-identifying code, and anyone can validate the outcome. Get together your own personal random sample of voters, and they can individually check their own vote in the public ballot record.

      The above article says: “You can’t prove the elections are valid without a degree in computer science!!” but a public ballot proves that 100% incorrect. Because anyone who cares can check their vote, and ask everyone they know to check their vote, and assuming their votes match up; how can they possibly come to the conclusion that the vote was rigged?

      No need to trust the “random 75,000 counters” (PS. I don’t know a single vote counter, or scrutineer despite the “surely everyone knows one” comment from the article).

      Everyone wins as far as I can tell.

  3. There have been many obvious problems with electronic vote counting in the U.S. and there have been many time consuming recounts.

    The ballot is scanned electronically without too much intelligence. The scanner “looks” for marks in preset spots and records those marks as votes for a specific candidate or issue. Assuming the voter marks the ballot appropriately (“voter intent”), the ballot will be counted correctly.

    However, voters may engage in other activities such as circling names as opposed to numbering the boxes, that will result in a ballot not being scanned correctly. With paper ballots, the legal framework for how these marks are interpreted is critical for the counting process (Voter Intent). Each State has it’s own laws regarding vote counting and many various issues that can trigger a recount.

    Several U.S. states do not have electronic voting!

    • In Aus, when we say electronic voting we mean online (or I guess touchscreens that are later synced online). No need for humans to write on things at all. I can’t imagine who could think that would be a good system to begin with.

      I guess I remember tests done in my school years that were along those lines. I suppose your electronic voting machines have been around for some time?

      • I was answering the question about vote counting, not electronic voting.

        ” No need for humans to write on things at all.”
        This is the problem. This dispenses with the paper trail for purposes of auditing or recounts. Also look up the meaning of “voter intent” in this context.

        “I suppose your electronic voting machines have been around for some time?”
        Well documented and well documented problems in the media every time there is a poll.

        Stay tuned for the U.S. Federal Election in November. There are bound to be problems as there were in 2008 and 2013.

  4. Why not collect votes electronically at polling booths? Paper ballets could be completely removed. Each location would electronically tally votes and at the close of polls transfer the data via a secure means (a backup/redundancy being created locally as well). There would be no need for the polling station to be online at all except to transfer the final data. While not ideal it would be half a step in the right direction and should speed up vote counting significantly.

    • Why not … ?

      1) Because the voting machine may be corrupted to either a) record the wrong candidate for a vote, or b) present the wrong tally at the end, or c) transmit incorrect figures to the server.
      2) How do you guarantee the reliability and security of the netwrok?
      3) How do you scrutinise the tally procedure when the votes are intangible and the procedure is invisible?
      4) How do you do a recount? We rely on computers, after all, to do the same thing time after time.

      Electronic voting, while an admirable ideal, never-the-less presents a range of, as yet, fatal and unsolved flaws.

  5. Renai:

    At the top of the article is:

    This article is by Robert Merkel, Director of UWA Centre for Software Practice, University of Western Australia.

    At the bottom is:

    By Robert Merkel, Lecturer in Software Engineering, Monash University

    The dreaded copypasta demon strikes again!

  6. The way I see it.

    A)I want to know my vote is recorded correctly.

    B)I also want to know my vote has not been tampered with.

    A is relatively easy. The simple nature of a paperless ballot should resolve that. As I should not be able to do it incorrectly if it has been programmed correctly. Add an “Are you sure” button to check and we are golden.
    One thing with this however. I think we should enshrine the donkey vote. If you for whatever reason do not wish to have your vote count, then you should be able to. You should be able to select an “Abstain” option.

    B is the hard part, and it is really split in 2 parts. A way to confirm that my vote that I cast, and the vote that eventually gets counted are the same. Which could simply be a matter of providing the person an identifying “number” which allows them to log in and check. This number would need to be not associated with the individual, you would need clear separation of the “marking off the roll” and the actual “Vote” to ensure that the process does not connect the individual who is voting with the number that identifies the vote.
    You could then allow people to view all of the numbers, and the vote assigned to them.
    Second is ensuring the software is doing the right thing when counting. This would need to be transparent. Essentially it needs to be as simple as possible, and open to review by ANYONE at all. This would ensure that anyone with a little scripting knowledge can check and follow the path of a vote to ensure that the result is accurate.

    This ensures that we have individual checking to ensure votes are recorded correctly. Then we have raw numbers so that vote checking can occur in a manual fashion by independent parties. And we have the code to show how the counting works, and anyone with the knowledge can verify the accuracy of said code.

    • ” Add an “Are you sure” button to check and we are golden.”

      Sorry but what about the “Are you really sure button?”. (and being its all those of voting age in the country there’ll be a significant portiona who’ll need a ‘are you really really sure?’!

      You’ve not been around long enough if you’ve not encountered one of ‘those’ users :)

Comments are closed.