Tag: onpoli

computer vote counting is a radically different trust model

Computer vote counting is a radically different trust model than a hand-counted election.

Instead of a vote counted in public by known individuals, with observers, you have a third-party for-profit vendor counting the vote in private, with testing by the election authority, but no meaningful observation.

If an elections authority proposed to pay a vendor’s employee to count votes in private, even with a complete background check of the employee, I have the feeling that not many people would go for it.

But in what is essentially the same scenario, except with the employee replaced with a “machine”, people don’t seem to have a problem.

I thought about why this might be the case, and it seems to one primary and one secondary thing.  Primary is the idea that a person has unlimited freedom of action, but a “machine” does not.  Secondary is the confusion that because the vote tabulator itself is in public, somehow the vote count is still “in public”, even though it’s taking place inside the literal black box of the tabulator.

This is I guess a 20th Century collision with 21st Century realities.  If you have an assembly line with a machine that makes pins, if you turn your back, it won’t suddenly decide to secretly make hammers.  Because the vote tabulator looks like some sort of machine, and is described usually as either “electronic” or “machine”, people think it is a single-function device.  But it’s actually a general purpose computer.  Which means that not only does it have a wide range of freedom of action, just like a human being, it can lie to you about what it is doing, just like a human being.

It would be interesting to see a polling station set up with a giant human-sized black box that the ballots go into to be counted, and see how people reacted to that.  Because there really is no difference between that and the computer vote tabulator.  Basically you’ve taken a very limited trust in known people you can watch in public, and changed it to a very extensive trust in unknown vendor employees and in the elections organisation itself operating in private.

If you have a very complicated count and very high expectations of a fast count, then there is some justification in using a vote counting computer, as long as you don’t trust the computer.  You have to audit the paper, not the computer.  You can test the computer as much as you want, it can always lie.  This is exactly what happened in the Volkswagen diesel emissions scandal, where the car’s computer could detect when it was being tested and would change its behaviour accordingly.  So when you use a computer to count paper, you have to audit the paper with a manual count (a risk-limiting audit).  Unfortunately as far as I know, no Canadian jurisdiction follows a computer ballot count with a risk-limiting audit.

In any case, Canadian federal and provincial elections are trivial to count.  You literally just sort the ballots into a few piles.  And because the count is simple it is also fast.

The Ontario provincial switch to vote counting computers is wrapped with PR about technology, but it’s actually about staffing.  (The underlying concept is literally called "Proposal for a technology-enabled staffing model for Ontario Provincial Elections".)  Basically it’s hard to get people to staff elections now, and they’re tired by the end of the day which means they are sometimes not in the best shape to do a bunch of precise counting.  There are many many ways to address elections staffing.  For example, you could simply bring in people, e.g. High School students, to do the count at the end of the day.

Addressing a staffing problem by completely changing the counting trust model wouldn’t have been my choice.  And I would assert that the only reason it’s even possible is because people don’t realise the trust model has been radically changed.

In any case, online voting is a much much worse problem that vote counting computers, so this is about all I have to say about the vote tabulators issue.

Previously:
May 11, 2018  2018 Ontario Provincial Election to use vote counting computers

2018 Ontario Provincial Election to use vote counting computers

The 2018 Ontario Provincial Election taking place on June 7, 2018 will for the first time use vote counting computers province-wide.  This replaces hand-counting of ballots.

The computer vote tabulators use optical scan technology to read hand-marked paper ballots.

This is the least-worst use of computer technology for vote counting as the hand-marked ballots are still available to be counted.  However, these are still computers that have to be programmed, which means there is always the potential for errors or malicious code.

Key Questions

Fundamentally in elections, you don’t trust anyone.  That means you don’t trust the computer vote tabulator either.  Use of computer vote tabulators introduces the following key questions:

  • Will there be a public hand-counted risk-limiting audit following every election, to test the computer count?
  • In the case of a recount, will the ballots be hand-counted under judicial supervision, or will the ballots be run through the computer vote tabulators again?  (It appears that the legislation requires a hand count of the recounts to use a manual hand-count of the paper ballots.)

The new voting procedures were launched with a May 9, 2018 press release (PDF) and accompanying media event.

Elections Ontario is modernizing the voting process and putting the needs of electors first by introducing technology in the polls. Election officials will be using electronic poll books (e -Poll books) and vote tabulators across the province for advance voting. On election day, 50% of the polls will have vote tabulators and e-Poll books … serving 90% of electors.

There was a Canadian Press story by Liam Casey, see e.g. CBC News – Ontario to use electronic voting machines for first time in spring election – May 9, 2018.

The tabulator is a Dominion Voting ImageCast® Precinct computer optical scan vote tabulator.

The history is buried in the post-event reports for two byelections that tested the technology:

It is very clear from the Proposal that the key issue is staffing; the technology is being introduced to address poll staffing issues.

Additional Questions and Considerations

Disclaimer: I am not a lawyer.

Additional questions raised by the use of computer vote counting equipment:

  • Are there provisions for erasing the digital copies of the ballots stored by the vote counting equipment? (I see no procedures described in law. Organisations often do not consider the security implications of digital copies of scans, see e.g. CBS News – Digital Photocopiers Loaded With Secrets – April 19, 2010.)
  • What are the security implications, in particular the chain-of-custody implications, of sharing computer vote counting equipment with other jurisdictions (e.g. Ontario municipalities)?  Doesn’t the risk of computer code alteration increase with each new jurisdiction that has access to the machine?
  • What are the procedures for transmitting the results of the computer count to Elections Ontario?  Is the count based on printouts from the vote tabulators, the vote tabulator memory cards, or transmission over a network?  What are the security implications of permitting the computer vote counting equipment to be connected to a network in order to transmit the count?  See e.g. Freedom to Tinker – Are voting-machine modems truly divorced from the Internet? – February 22, 2018.
  • What are the procedures for handling the vote tabulator memory cards?

In the March 22, 2018 Guelph Mercury article Ontario’s voting system secure, chief election official says the following statement is made by the Chief Electoral Officer:

“The Ontario government has hired a cybersecurity team to assist any of the ministries with private security — and we’ve been working with that team over the last year, year and a half, and they’ve been working with all of our systems,” he said.

“They’ve been doing penetration testing, vulnerability testing … to ensure that our systems are up-to-date and secure. There have been some slight alterations based on their recommendations, and we are very confident and we take security very, very seriously.

“I want to make sure that all the systems and all the personal information that we have is protected.”

  • Will these tests be made available to the public?  Including both the test procedures and the results?
  • Why doesn’t the Ontario Election Act section 4.5 (3) 3. include independent security and integrity testing for computer vote tabulators, in addition to logic and accuracy testing, as is required for accessible voting equipment in 44.1 (5)?
  • Will the independent security and integrity reports required by 44.1 (5) be made available to the public?
  • Will the machines be made available for independent expert testing, by Canadian academics who are computer security experts?
  • Will the machines be made available for independent expert testing by hackers, e.g. in DefCon Voting Village or at e.g. Canadian Hackfest?
  • As the computer vote tabulators stack ballots in sequence in a bin, in theory it is possible to de-anonymise the votes by carefully tracking voters as they cast ballots.  Is there any provision for randomising the stacked ballots in order to prevent this potential risk?

For more about what it means to change from public hand-counted ballots to ballots counted by a computer from a private for-profit company, see computer vote counting is a radically different trust model.

Governing Legislation

The governing law is the Ontario Election Act, R.S.O. 1990, c. E.6

The relevant sections, modified in 2016 (Election Statute Law Amendment Act, 2016, S.O. 2016, c. 33 – Bill 45) and in force as of January 1, 2017 are:

  • Authority to share equipment and resources – 4.0.3 (1) The Chief Electoral Officer may make equipment, advice, staff, or other resources available to other electoral authorities in Canada.
  • Use of vote counting equipment – 4.5 (1) The Chief Electoral Officer may issue a direction requiring the use of vote counting equipment during an election and modifying the voting process established by this Act to permit the use of the equipment.

Next section blockquoted due to complexity:

Restrictions re equipment

4.5 (3) The following restrictions apply with respect to the use of vote counting equipment:

1. The equipment must not be part of or connected to an electronic network, except that the equipment may be securely connected to a network after the polls close, for the purpose of transmitting information to the Chief Electoral Officer.

2. The equipment must be tested,

i. before the first elector uses the equipment to vote, and
ii. after the last elector uses the equipment to vote.

3. For the purpose of paragraph 2, testing includes, without limitation, logic and accuracy testing.

4. The equipment must not be used in a way that en­ables the choice of an elector to be made known to an election official or scrutineer.

  • Recount conducted manually – 74.1 A recount that is made from the actual ballots shall be conducted manually, even if the original count was done by vote counting equipment. 2010, c. 7, s. 31.

The only section that speaks about voting equipment security appears to apply solely to section 44.1 Accessible voting equipment

Accessible voting equipment, etc.

44.1 (1) At an election, accessible voting equipment and related vote counting equipment shall be made available in accordance with this section and in accordance with the Chief Electoral Officer’s direction under subsection (2). 2010, c. 7, s. 24 (1).

Condition

(5) Despite subsection (1), accessible voting equipment and related vote counting equipment shall not be made available unless an entity that the Chief Electoral Officer considers to be an established independent authority on the subject of voting equipment and vote counting equipment has certified that the equipment meets acceptable security and integrity standards. 2010, c. 7, s. 24 (1).

There is no analogous section under 4.5 vote counting equipment.  Disclaimer: I am not a lawyer.

2018 Ontario Provincial Election will not use Internet Voting

Following is verbatim from Elections Ontario Proposal for a technology-enabled staffing model for Ontario Provincial Elections (PDF), page 10 “Why are we not proposing internet voting?”, published sometime in 2016 or 2017.  (Also available from the Legislative Assembly of Ontario Library.)

Recognizing that many of the societal changes we have discussed have been possible because of the evolution of the internet, the questions often posed is: why, when other jurisdictions (such as Ontario municipalities) are moving toward internet voting, is Elections Ontario not exploring or proposing an internet voting solution?

Elections Ontario explored the possibility of internet voting in a comprehensive research study conducted between 2010 and 2012. Recommendations and the full analysis of the study can be found in the Alternative Voting Technologies Report available on our website. In the report Elections Ontario provides implementation criteria for networked voting, and outlines the current barriers to those criteria being met. To date, Elections Ontario has not found a networked voting solution that would protect the integrity of the electoral process.

Because of the requirement for a paper ballot, for the purposes of this pilot project the introduction of internet voting does not address our primary concern: reducing staffing requirements for a General Election. To reduce the staffing requirements for a General Election a solution that maintained a paper ballot while automating processes at the voting location was required. Internet voting may provide another channel for electors to use in the future; however, it would not itself reduce the required staff at voting locations.

Internet voting is often considered in the context of increasing voter turnout. As mentioned in the Alternative Voting Technologies Report there is no conclusive evidence that internet voting will have a positive impact on turnout. More recently, the Internet Voting Project published a report[1] on the 2014 Ontario Municipal Elections that supports this assessment that there is not a correlation between internet voting and increased turnout.

[1] Internet voting project report: results from the 2014 Ontario Municipal Elections.  [Editor’s note: It’s not completely clear which report they are referring to, but probably Internet Voting Project Report August 2016 which states on page 65 “despite comments about observed improvements in turnout, this study, and other research, clearly indicates that Internet voting is not the magic bullet solution to improve voter participation or to engage young people”.]

The Alternative Voting Technologies Report mentioned is available in two parts:

I have also written extensively about the Elections Ontario Alternative Voting Technologies Report in blog post Province of Ontario Internet voting.

comment on The Agenda – Is Online Voting the Future?

TVO – The Agenda – Is Online Voting the Future? – May 17, 2017

COMMENT

In future I hope that TVO will invite computer scientists who specialise in elections security when the topic is online voting.

There were a number of things we didn’t hear in the segment, such as the fact that Toronto, Kitchener and Waterloo have always rejected Internet voting, and that Guelph and Orillia just rejected online voting for the 2018 elections.

We also didn’t hear about the many Canadian expert consultations and reports about online voting, consultations where unlike municipal online voting decisions, there was more time to draw on a variety of election expertise.

In every such case, without exception, the recommendation is against online voting. This includes Nova Scotia, New Brunswick, Ontario, and British Columbia, as well as the federal government.

END COMMENT

Also see my longer email with links – email to TVO about online voting.

email to TVO about online voting

Here is an edited version of an email sent to TVO about their May 17, 2017 The Agenda segment on online voting.

EMAIL

I was pleased to see Steve Paikin ask a variety of questions about online voting, Internet security and electoral fraud in the May 17, 2017 The Agenda segment on the topic.

http://tvo.org/video/programs/the-agenda-with-steve-paikin/is-online-voting-the-future

There were many things we didn’t hear in the segment, such as the fact that Toronto, Kitchener and Waterloo have always rejected Internet voting, or that municipalities have to make the decision about online voting without any comprehensive background briefing about the computer security risks, or that Guelph and Orillia just rejected online voting for the 2018 elections.

We also didn’t hear about the many Canadian expert consultations and reports about online voting, consultations where unlike municipal online voting decisions, there was more time to draw on a variety of election expertise.  In every such case, without exception, the recommendation is against online voting.

This includes Nova Scotia, New Brunswick, Ontario, and British Columbia, as well as the federal government.
[added for the web: recommendations on Internet voting from government consultations]

In addition, Quebec has a total moratorium on all forms of electronic voting, including online voting.

As well there is the recent expert study of the PEI referendum, which also recommended against online voting.

Just to give you a flavour of these kinds of expert assessments, here’s what Toronto had to say in its analysis http://www.toronto.ca/legdocs/mmis/2016/ex/bgrd/backgroundfile-98545.pdf

The overwhelming consensus among computer security experts is that Internet voting is fundamentally insecure and cannot be safely implemented because of security vulnerabilities inherent in the architecture and organization of both the Internet and commonly used software/hardware:

  • Internet voting is extremely vulnerable to a wide range of cyber-attacks, and many of these are impossible to detect.
  • Internet voting poses extraordinary and unnecessary risks to election integrity, and even a small issue—were it even detectable—could completely undermine public trust.
  • Every jurisdiction whose Internet voting system has been thoroughly examined by security experts—including the long-running system in Estonia—has revealed major vulnerabilities that could allow the system to be hacked, to reverse election outcomes, or to selectively disenfranchise voters, all while going completely undetected.
  • Many jurisdictions that ran Internet voting pilots—including Washington, DC, France, and Norway—cancelled the projects due to security issues.

Should you have a future segment about online voting, I urge you to include computer science expertise.  Here is a list of contact information for experts specifically in the risks of online voting, including Canadian experts such as Dr. Simons and Dr. Essex:

[embedded list replaced with web link: Internet voting and computer security expertise]

END EMAIL

Province of Ontario Internet voting

(This post is about provincial-level voting, not the municipal elections covered in the Municipal Elections Act.)

Ontario examined provincial online voting from fall 2010 to fall 2012, with the resulting three years of investigation being published as a report on “alternative voting technologies” in June 2013.  The report is in two parts, consisting of the main report and a separate Appendix 5 which is a 231-page business case about online voting.

The report is currently available on the Elections Ontario page Reports and Publications, under Recommendations

The report concludes that Internet voting, which it calls “network voting”, is not ready for use because it does not meet the necessary requirements and needed level of integrity.

Elections need to be administered with proven, well-tested, and secure processes. Innovations must be tested in a methodical and principled manner, so that the benefits and risks of the innovation can be objectively assessed, without endangering the trust that electors have in the integrity of the process and the validity of the results.

At this point, we do not have a viable method of network voting that meets our criteria and protects the integrity of the electoral process.

The report sets out very clear requirements that a voting system needs to meet

Our implementation criteria are:

  • Accessibility:
    The voting process is equally accessible to all eligible voters, including voters with disabilities. The voting process will be performed by the voter without requiring any assistance for making their selections.
  • Individual verifiability:
    The voting process will provide means for the voter to verify that their vote has been properly deposited inside the virtual ballot box.
  • One vote per voter:
    Only one vote per voter is counted for obtaining the election results. This will be fulfilled even in the case where the voter is allowed to cast their vote on multiple occasions (in some systems, people can cast their vote multiple times, with only the last one being counted).
  • Voter authentication and authorization:
    The electoral process will ensure that before allowing a voter to cast a vote, that the identity of the voter is the same as claimed, and that the elector is eligible to vote.
  • Only count votes from valid voters:
    The electoral process shall ensure that the votes used in the counting process are the ones cast by valid eligible voters.
  • Voter privacy:
    The voting process will prevent at any stage of the election the ability to connect a voter and the ballots cast by the voter.
  • Results validation:
    The voting process will provide means for verifying if the results clearly represent the intention of the voters that participated in the voting process.
  • Service availability:
    The election process and any of its critical components (e.g., voters list information, cast votes, voting channel, etc.) will be available as required to voters, election managers, observers or any other actor involved in the process.

This language calls to mind the requirements in the Computer Technologists’ Statement on Internet Voting.

The report identifies a number of risks that are specific to Internet voting, including digital authentication, digital denial of service, and lack of transparency.

When developing our implementation criteria, we ensured that they addressed the following risks and limitations:

  • Security concerns – security breaches that could jeopardize the integrity of the voting process.vi
  • Secure digital authentication mechanisms are not available.vii
  • The possibility of denial of service – whether deliberate or inadvertent.viii
  • Lack of transparency, including for a vote audit or for recount purposes, due to the lack of a paper trail.
  • The digital divide – some electors or subgroups of electors do not have equal access to the internet.
  • Network voting is costly – particularly when supplementing existing voting channels.ix

The end notes are
viFor example, Vaughan, Huntsville, Edmonton. Edmonton recently completed a trial implementation of internet voting, where electors were invited to vote online for their favourite colour of jellybean. On the basis of this trial, a citizen panel recommended to city council that they proceed with plans for internet voting in the upcoming election for the city of Edmonton. However, the city council rejected this recommendation, citing concerns regarding security.
viiFor example, Vaughan; concerns raised by McAfee
viiiVaughan and others citing the denial-of-service experience faced by the NDP during its 2012 leadership election.
ixFor example, Vaughan; U.S. military

See the references mentioned in the end notes below in the copy of Appendix 3: Selected Works Consulted.

The report continues by examining the use of Internet voting in Ontario municipalities.

In 2010, 44 of 444 Ontario municipalities offered network voting for their municipal elections.

Turnout does not increase when online voting is offered.

The academic literature supports Markham’s experience in suggesting that there are inconclusive results about the impact of network voting on voter turnout. Voter turnout is influenced by a number of factors, many which are difficult to quantify. These include, for example, the competitiveness of the election, candidate campaign mobilization efforts, issues at stake, voter fatigue, and the weather, among other elements that may vary from one election to the next in the same jurisdiction.

The technology, introduced with claims of efficiency, sometimes actually introduces delays and increases risk.

…a total of 33 municipalities experienced system delays on election day when servers became overloaded due to hardware problems and higher-than-expected levels of access by election candidates. Electors were delayed in casting their votes during this time. In some cases, voting hours were extended by an hour in order to compensate for the lost time; at least one municipality extended voting for a full day.

The hardware server error experienced by the vendor raises concerns regarding reliance on vendors to provide critical election related services such as election results accumulation and tabulation. An overreliance on vendors and technology can heighten risks to the electoral process if appropriate mitigation strategies are not in place.

When Ontario examined the municipal experience and compared the technology available with the requirements (listed earlier), they concluded

If we return to public expectations that a network voting solution would be more convenient, just as secure and less cumbersome than our current processes, the experiences of many Ontario municipalities indicate that the benefits of network voting may not be as great as predicted.

The report then looks at Nova Scotia

In 2008, four municipalities in Nova Scotia offered internet voting in their municipal elections. By 2012, that number had grown, and 15 municipalities offered internet voting.

and at Alberta

After the City of Edmonton withdrew its support in February 2013, Alberta withdrew its funding for other internet voting pilots and decided not to proceed with a regulatory change that would have permitted pilots in municipal elections.

Ontario’s conclusion based on federal and provincial evidence:

Most jurisdictions have concerns with the security of voting over the internet as technology and legislative frameworks have not yet evolved to fully address integrity concerns.

When examining the US experience, Ontario finds particular importance in independent public audits:

First, we will need to extensively test any proposed solution to ensure that it meets our implementation criteria. When conducting these tests, we should consider the value of offering independent, public review and open testing to ensure that Ontarians can be satisfied that we have resolved any potential concerns regarding security, privacy, authentication, and verification.

The report then turns to the 2003 and 2007 Internet voting trials in the UK. For the large trial in 2003 it finds:

Overall, although electors enjoyed the convenience of network voting, it had a very minimal affect on turnout. While some jurisdictions experienced voter turnout increases up to 5 per cent, other jurisdictions registered a decline in voter turnout of up to 8 per cent.xxviii

For 2007, the results were even worse:

In a review of the pilots, the United Kingdom Electoral Commission found there was insufficient time available to implement and plan the pilots, and the quality assurance and testing was undertaken too late and lacked sufficient depth. The United Kingdom Electoral Commission stated that “the level of implementation and security risk involved [with the pilots] was significant and unacceptable”.xxx

The end notes are
xxviiiUnited Kingdom Electoral Commission. 2005. Securing the Vote.
xxxUnited Kingdom Electoral Commission. 2007. “Key issues and conclusions: May 2007 electoral pilot schemes.”

See the references mentioned in the end notes in the copy of Appendix 3: Selected Works Consulted.

All that remains of the Securing the Vote report on the UK Electoral Commission site is the page Securing the vote – detailed proposals for electoral change announced.  The actual document itself does not show up in search.  The only location where a copy could be found was in a document repository from The Guardian newspaper: http://image.guardian.co.uk/sys-files/Politics/documents/2005/05/20/eleccommission.pdf

The UK did extensive reporting on the 2007 pilots, the website was http://www.electoralcommission.org.uk/elections/pilots/May2007 but it is no longer online.  There is a copy in the Internet Archive.

Although there is no longer an organising page on the Electoral Commission page, some of the reports from 2007 are still available from them, as well as being copied in the Internet Archive.

There are two considerations to highlight from the UK Electronic Voting Summary:

  • New voting methods should be rolled out only once their security and reliability have been fully tested and proven and they can command wide public confidence.
  • The necessary costs for secure and reliable systems must be able to be reasonably met by the public purse.

I will highlight only one item from the Technical Assessments of the e-voting Pilots, item 3.4.4 from Assessment of the pilot process – Quality management:

While there were variations between the different pilots, in all cases the quality and testing arrangements appeared to be inadequate. It is difficult to tell whether this was purely because of lack of time, or whether some of the suppliers were not used to implementing effective quality processes. Significant quality management failings include:
a. Lack of detailed design documentation;
b. Lack of evidence of design or code reviews or other mechanisms for ensuring that the solutions operate correctly and do not include deliberate or accidental security flaws;
c. Lack of evidence of effective configuration management.

This kind of haphazard voting software development has been shockingly common, e.g. for US voting machines as well.

Returning to the Province of Ontario report, moving on to conclusions, the key point that Internet voting does not increase turnout is again emphasized

As we discussed earlier in this report, often people assume that introducing a new channel of voting such as network voting will translate to an increase in voter turnout. Our research supports the findings of the City of Edmonton’s Issues Guide on Internet Voting which states that, at present, there is

“no conclusive evidence that shows introducing Internet voting will have a positive impact on turnout. Internet voting will not fix the problem of voter turnout decline completely –it is not a solution to the social and political causes of non-voting. ….”xxxiii

The end note is

xxxiiiGoodman Issues Guide: Internet Voting. p. 20.

This is a reference to Edmonton’s Issues Guide: Internet Voting by Nicole Goodman, November 2012.  Currently available from the City of Edmonton, and also in the Internet Archive.

To quote the Issues Guide:

The rationale(s) for not adopting Internet voting or for being more cautious in its consideration include topics such as security, notably threats of hacking and election fraud and problems associated with voter authentication. Privacy/ ballot secrecy is also cited as a worry. Additionally, there is uncertainty surrounding an effective evaluation process such as the ability to audit the election that may include a re-count or some type of ballot verification.

See the references mentioned in the end notes below in the copy of Appendix 3: Selected Works Consulted.

Moving to Appendix 5: Network Voting Business Case

Alternative Voting Technologies Report – Appendix 5 Network Voting Business Case (2012).pdfcopy in Internet Archive

I will quote only the section on chain of trust, just to illustrate the complexity of properly building an Internet voting system, followed with some commentary:

If the implementation of the network voting system does not both support the Chain of Trust and provide auditable evidence, then the process is open to question. This Chain of Trust is a compilation of all the following measures:

  1. Source code audit to verify that the code will do only what it is intended to do.
  2. Digital signature of the audited source code to protect its authenticity and integrity.
  3. Trusted build of the executable code in front of auditors (based on audited source code).
  4. Signature of the executable code to protect its authenticity and integrity.
  5. Deployment of the executable software in a clean system. Logical sealing of the system to detect any later additions.
  6. Logic and accuracy testing of the voting system to validate it works properly.
  7. Continuous audit of the voting system during the election, through review and validation of logs and other data. The logs must be protected from external manipulations by using cryptographic measures.
  8. Post-election audit that validates that the system behaved correctly by reviewing the logical seals and the protected logs.
  9. Individual voter verification that proves their ballots were used in the final tally (by using special receipts).

A strong emphasis must be placed on audit. Independent auditors must be able to review the source code, verify the build and deployment, audit system logs during the election event, and finally to review both the counting process and the results.

So this sounds reasonable, if challenging, time-consuming, and expensive, plus requiring a great deal of specialised expertise (which means excluding most oversight by ordinary citizens). But when examined from a computer science perspective, it might as well be called “the insurmountable mountain chain of trust“, because each step indicated above is a difficult problem in and of itself, and some of them are active areas of research because they are currently unsolved.  Doing a meaningful source code audit for any non-trivial source code is incredibly challenging.  Making a “trusted build” is almost impossible, because literally every software component in the build needs to be somehow trusted.  Needing trusted software components means a logical loop that can’t be satisfied: in order to build trusted software, you need a trusted compiler, but in order to build a trusted compiler, you need a trusted compiler.  Similarly, the concept of “logical seals” sounds great, but no such thing exists.  You might as well say “magic lock”.  This is just one of the reasons why computer scientists will tell you that secure Internet voting with trusted software is a problem that isn’t currently solved.

Finally, here are the works cited by the main report. Where necessary, I have added Internet Archive links for unavailable works.

APPENDIX 3 – SELECTED WORKS CONSULTED