Aussies Do It Right: E-Voting 

02:00 AM Nov. 03, 2003 PT

While critics in the United States grow more concerned each day about the insecurity of electronic voting machines, Australians designed a system two years ago that addressed and eased most of those concerns: They chose to make the software running their system completely open to public scrutiny.

Although a private Australian company designed the system, it was based on specifications set by independent election officials, who posted the code on the Internet for all to see and evaluate. What's more, it was accomplished from concept to product in six months. It went through a trial run in a state election in 2001.

Critics say the development process is a model for how electronic voting machines should be made in the United States.

Called eVACS, or Electronic Voting and Counting System, the system was created by a company called Software Improvements to run on Linux, an open-source operating system available on the Internet.

Election officials in the Australian Capital Territory, one of eight states and territories in the country, turned to electronic voting for the same reason the United States did -- a close election in 1998 exposed errors in the state's hand-counting system. Two candidates were separated by only three or four votes, said Phillip Green, electoral commissioner for the territory. After recounting, officials discovered that out of 80,000 ballots, they had made about 100 mistakes. They decided to investigate other voting methods.

In 1999, the Australian Capital Territory Electoral Commission put out a public call for e-vote proposals to see if an electronic option was viable. Over 15 proposals came in, but only one offered an open-source solution. Two companies proposed the plan in partnership after extensive consultation with academics at Australian National University. But one of the companies later dropped out of the project, leaving Software Improvements to build the system.

Green said that going the open-source route was an obvious choice.

"We'd been watching what had happened in America (in 2000), and we were wary of using proprietary software that no one was allowed to see," he said. "We were very keen for the whole process to be transparent so that everyone -- particularly the political parties and the candidates, but also the world at large -- could be satisfied that the software was actually doing what it was meant to be doing."

It took another year for changes in Australian law to allow electronic voting to go forward. Then in April 2001, Software Improvements contracted to build the system for the state's October election.

Software Improvement's Matt Quinn, the lead engineer on the product, said the commission called all the shots.

"They, as the customer, dictated requirements including security and functionality, (and they) were involved at every step of the development process, from requirements to testing," Quinn said. "They proofed every document we produced."

The commission posted drafts as well as the finished software code on the Internet for the public to review.

The reaction was very positive.

"The fact that the source code had been published really deflected criticism," Quinn said.

A few people wrote in to report bugs, including an academic at the Australian National University who found the most serious problem.

"It wasn't a functional or a security issue but was a mistake nonetheless, and one that we were glad to have flagged for us," said Quinn.

In addition to the public review, the commission hired an independent verification and validation company to audit the code, "specifically to prevent us, as a developer, from having any election-subverting code in there," Quinn said.

"We were concerned that it wouldn't be secure enough," said Green, the electoral commissioner. The audit was performed specifically to search for security weaknesses in the system, but Green says the researchers found none.

The state tested 80 machines in the election, distributed among eight polling places throughout Canberra (the country's capital). A comparative manual count after the election showed that the system operated accurately.

The plan is to use the 80 machines again next year, but Quinn said the difficulty in deploying the system nationwide is that it would have to be adapted for use over larger geographic areas.

The machines are not what Quinn would call high-tech. The voting terminal consists of a PC and offers ballots in 12 languages, including Serbian and Farsi. The system includes English audio for vision-impaired and illiterate voters.

The voter swipes a bar code over a reader that resets the machine for a new vote and calls up a ballot. Once a selection is made and reviewed, the voter swipes the bar code again to cast the vote. The bar code doesn't identify the voter; it simply authorizes the voter to cast one ballot.

The terminals link to a server in each polling place through a secure local-area network so no votes are transmitted over the Internet or phone lines.

Quinn said the server writes two copies of the votes onto separate discs that are digitally signed and delivered independently to a central counting place. The digital signature is a 128-bit unique identifier generated from the voting data. If the data were changed in transit, the identifier would change too, raising red flags that something went wrong.

The machine does not include a voter-verifiable receipt, something critics of U.S. systems want added to machines and voting machine makers have resisted.

A voter-verifiable receipt is a printout from the machine, allowing the voter to check the vote before depositing the receipt into a secure ballot box at the polling station. It can be used as a paper audit trail in case of a recount.

Green said the commission rejected the printout feature to keep expenses down. The system cost $125,000 to develop and implement. The printouts would have increased that cost significantly, primarily to pay for personnel to manage and secure the receipts and make sure voters didn't walk off with them.

Quinn, however, thinks all e-voting systems should offer a receipt. "There's no reason voters should trust a system that doesn't have it, and they shouldn't be asked to," he said.

"Why on earth should (voters) have to trust me -- someone with a vested interest in the project's success?" he said. "A voter-verified audit trail is the only way to 'prove' the system's integrity to the vast majority of electors, who after all, own the democracy."

As for the costs of securing and storing such receipts, Quinn said, "Did anyone ever say that democracy was meant to be cheap?"

Quinn also believes that voting systems must use open-source software.

"The keystone of democracy is information," he said. "You have a big problem when people don't have enough information to make up their minds or, even worse, they have misleading information and make up their minds in a way that would be contrary to what they would decide if they had the full story.

"Any transparency you can add to that process is going to enhance the democracy and, conversely, any information you remove from that process is going to undermine your democracy."

The issues of voter-verifiable receipts and secret voting systems could be resolved in the United States by a bill introduced to the House of Representatives last May by Rep. Rush Holt (D-New Jersey). The bill would force voting-machine makers nationwide to provide receipts and make the source code for voting machines open to the public. The bill has 50 co-sponsors so far, all of them Democrats.

"If a voting system precludes any notion of a meaningful recount, is cloaked in secrecy and controlled by individuals with conflicts of interest, why would anyone buy it?," Quinn said. "At the very least give citizens the right to choose whether they want to use paper ballots ... thus allowing each elector to be personally satisfied as to the integrity of the process in which they are participating."

Quinn, who was working in Chicago for Motorola during the 2000 presidential election, says he is "gob smacked" by what he sees happening among U.S. electronic voting machine makers, whom he says have too much control over the democratic process.

It has been widely reported that Ohio-based Diebold Election Systems, one of the biggest U.S. voting-machine makers, purposely disabled some of the security features in its software. According to reports the move left a backdoor in the system through which someone could enter and manipulate data. In addition, Walden O'Dell, Diebold Election System's chief executive, is a leading fundraiser for the Republican Party. He stated recently that he was "committed to helping Ohio deliver its electoral votes to the president next year.''

"The only possible motive I can see for disabling some of the security mechanisms and features in their system is to be able to rig elections," Quinn said. "It is, at best, bad programming; at worst, the system has been designed to rig an election."

"I can't imagine what it must be like to be an American in the midst of this and watching what's going on," Quinn added. "Democracy is for the voters, not for the companies making the machines.... I would really like to think that when it finally seeps in to the collective American psyche that their sacred Democracy has been so blatantly abused, they will get mad."

But he says that the security of voting systems in the U.S. shouldn't concern Americans alone.

"After all, we've all got a stake in who's in the White House these days. I'm actually prone to think that the rest of the world should get a vote in your elections since, quite frankly, the U.S. policy affects the rest of the world so heavily."