With electronic voting on the rise, the 2020 ACT election was an important test, but it wasn’t conducted transparently enough, Rajeev Goré, Vanessa Teague, T Wilson-Brown, and Alwen Tiu write.
Imagine narrowly missing out on a seat in last month’s Australian Capital Territory (ACT) election. How would you decide whether to accept your loss or challenge and demand a more thorough and careful count?
In the past, your supporters would have voted for you on paper and your scrutineers would have watched the count. This is familiar in Australia: in 2016 when the federal election went down to the wire, even Senator George Brandis joined in the public examination of the evidence behind the count.
The ACT’s electronic voting and counting system (EVACS), in contrast, provides no such evidence, relying instead on the perfection of its code, creating an unscrutinisable process.
There are, of course, some ways to mitigate this danger, and Elections ACT used to be proud of making the code openly available, allowing open analysis and corrections. But in 2020, Elections ACT changed the code. So, did it get the right answer? There is no way to know for sure.
Nobody who voted electronically in October did so using the code published on Elections ACT’s website. Instead, they used a completely new system, unscrutinised by experts or the public. Then, when we requested access to the code we were told it would require us to sign a confidentiality agreement which explicitly forbids us from publishing our findings for 60 days, despite the fact ACT Election challenges must be lodged within 40 days of the declaration of results.
Since it was not available earlier, there was no way for anyone to examine the code and report on it during the election period.
The system should have a voter-verifiable paper trail, so voters can check their vote was accurately recorded and scrutineers can check the paper ballots. Such paper trails are even mandated in some democracies, including India and some states in the United States, because without them a security problem, configuration mistake, undetected software error, or another surreptitious substitution could alter electronic votes without detection.
Apparently, this independent evidence is unnecessary because the code has been certified by partners chosen by Elections ACT, but the audit report explicitly says, “It was not the purpose of the review to verify that the code works correctly.” There are numerous other examples from New South Wales, Switzerland, and the United States, where electronic election systems passed certification despite serious errors.
We have examined earlier, openly available, versions of the ACT’s EVACS code and found serious errors in both accuracy and privacy.
The Australian National University (ANU) logic group found an error in the EVACS 2001 counting code, for instance.
Other errors were found again by ANU researchers and also by T Wilson-Brown. These errors had the potential to cause the wrong people to get elected but, by sheer good luck, had not (yet) affected any actual election results. Some have been patched but, without a full public record, nobody can check whether they have all been corrected.
In 2018, independent security researcher T Wilson-Brown identified a collection of serious privacy problems, discovering that EVACS recorded very detailed timing information about each vote, thus exposing voters to identification by insiders and jeopardising the secrecy of ballots.
Even more concerning, the votes were not shuffled before they were posted publicly, thus introducing the risk that a person’s vote could be exposed to others who voted near the same time.
Elections ACT’s 2020 public voter frequency data confirms part of that 2018 analysis.
There are quiet voting periods where there is only one voter in the entire polling booth, which in 2016 would have made it easy to link that voter to their vote.
Knowing how people voted is incredibly valuable to political parties, lobbyists, advertisers, and anyone who might wish to influence or subvert the democratic process, and at the moment, nobody can verify that the security arrangements at Elections ACT are able to protect data that is both sensitive and valuable.
In 2018, Elections ACT didn’t seem particularly concerned about collecting or storing detailed timing data, despite the ACT Electoral Act specifically stating in section 11 8 A that “The commissioner may approve a program under subsection (1) (a) only if the program will … (d) not allow a person to find out how a particular elector cast his or her vote.” It is now clear this condition was not met in 2016, and as for 2020, there is no way to be sure.
Some documents released last week under Freedom of Information laws show that for the 2020 election they intended to fix the bug by removing timestamps and shuffling the votes before publication. But with no source code, we can’t confirm if these improvements were implemented securely, nor check if there are any other ways to link voters to votes.
Even more hidden is the ACT’s Internet voting solution – an apparently new system designed to solve one of the hardest open problems in online security. No information was available at election time, though some documents were published after the election in response to our request.
While it may be easy for Australians to imagine that election problems occur only overseas, Canberrans need to look to their own election systems more closely.
Ultimately, it is just not acceptable for votes to be cast on a system which has never had anything resembling open review, and about which almost no information is available to voters or candidates, making it impossible even to check whether known serious privacy problems have been fixed.
If you stood for election, and were disappointed in the result, you have almost nothing to scrutinise or recount. The result might be right, or it might be wrong, and there is no evidence either way.
The United States election results show the critical importance of building an evidence trail that convinces winners and losers alike that the election was conducted fairly and its results are accurate. The ACT’s EVACS system builds no such evidence. It urgently needs to be updated with a voter-verifiable paper record, and rigorous audits of those paper records, in time for the 2024 election.