The full text may be downloaded at https://evoting.cs.may.ie/
``Constitutional rights are declared not alone because of bitter memories of the past but no less because of the improbable, but not to be overlooked, perils of the future.''
Chief Justice O Dalaigh, speaking for the Supreme Court, McMahon v. Attorney General, 1972.
Irish Citizens for Trustworthy Evoting (ICTE) is an alliance of citizens, brought together by serious and legitimate reservations over the introduction of electronic voting in its proposed form. ICTE was established formally in May 2003 by Ms. Margaret McGaley but it has grown quickly and includes some of those that had previously been lobbying and raising their concerns in isolation. Currently its membership comprises over one hundred people, including technical and legal experts.
This document is the product of cooperation and open discussion between the members of the group via a public electronic forum, to which any person may subscribe and contribute. As such, it represents the common consensus amongst our membership.
PROTECTING DEMOCRACY
The accuracy of the proposed electronic voting system must be seen in the context of elections and national votes in general. These are the very foundations of a democratic society. Citizens expect their votes to be confidential, to have equal status and to be protected from alteration or loss. Any voting process, no matter how it is implemented, must have sufficient measures in place to maintain citizens' expectations of accuracy and secrecy.
It should be recognised from the outset that some may seek to pervert the course of the democratic process by attempting voting fraud. These illegal and unjust efforts may be made by individuals, groups or potentially by well-funded organisations. It is not necessary to show that tampering is likely in order to justify acting to protect against it. Elections are manifestly adversarial events in which there are clear motives to affect the result. With the introduction of electronic technology into elections there also comes an entirely new and unfamiliar risk model. It is not unusual for electronic systems to be attacked a relatively long period before any benefit is taken from such an attack. Frequently, attacks on electronic systems are practically undetectable, and many such attacks require minimal expertise.
Excluding deliberate attacks, electronic systems are inherently prone to random, unavoidable and naturally occurring causes of error. Inadvertent failures of hardware and software have occurred in voting machines in other countries. This has been most widely documented in US voting machines, but has also been seen in Belgium, where a single-event upset (most likely a cosmic ray) caused a 4,096-vote error in declared results. A similar naturally occurring and unavoidable error could occur with the Powervote counting PCs, and we may not notice it unless it is large enough to be absurd.
In Fairfax County, Virginia in November 2003, direct recording electronic (DRE) voting machines were seen to change the voter's choice on the screen from one candidate to another, in favour of the same candidate in each case. Some voters reported this and a machine was tested and found to do this with about one per cent of votes. This error could be corrected by the voter selecting the intended candidate again. Since the voters could see the vote being changed on the screen, it is likely that most of them corrected it, but that some did not notice the change. Since there was no independent, voter-verified record of the votes, it is impossible to tell what the result would have been if all voters' intentions had been recorded accurately.
Although this fault was visible to the voter, it is equally possible that a software bug or hardware fault could cause votes to be recorded wrongly while being displayed correctly. In that case, unless the result was implausible, it is very unlikely that this error would be discovered, since there would be no reason to suspect it.
This case also demonstrates that a fault can cause a machine to throw a small proportion of votes to a particular candidate, thereby potentially altering the result in a close election, without raising suspicion of an error.
While this case relates to a different model of voting machine to that used in Ireland, the nature of the risk is the same, since both are direct recording electronic machines with no voter-verified audit trail.
VOTER-VERIFIED AUDIT TRAIL
Central to our concerns about the system is the absence of a voter-verified audit trail (VVAT), also called a voter-verified paper audit trail (VVPAT) or a voter-verified paper ballot (VVPB).
A VVAT is the only practical means by which voters may be assured that their vote has been recorded correctly. Without it, the accuracy of an electronic voting system cannot be verified in any way that is independent of the system itself.
By ``voter verification'' we mean the process by which each voter personally ensures that the vote recorded on his/her behalf is identical to the vote actually cast. The only way voters can verify that their votes have been recorded accurately is by observing that recording themselves.
This implies that verification has not occurred if the voter is only told what has been recorded, by another human or by a device. If the Nedap/Powervote system were modified to include a VVAT, voters would see their own votes on paper, as they did in the all-paper system, and would not have to trust in the assurances of any person or device.
By ``voter-verified audit trail'' (or ``VVAT'') we mean a physical token (usually paper) which: (a) is verified by the voter in each case; (b) is subsequently so handled that tampering is impractical; and (c) is the final and authoritative record of the vote in the event of disputes.
Although we will deal with many particulars of the chosen system, it is important to note that the lack of a VVAT alone is a critical design flaw and is sufficient to render any such electronic voting system untrustworthy, and its accuracy unknowable. A VVAT is a simple, independent record of our votes -- verified by us as voters -- and is the only method which allows for verification of the end result.
VVAT is considered essential by independent computer security and electronic voting experts such as Bruce Schneier and Dr. Rebecca Mercuri. Organisations, including the USACM1 and the electronic voting panel of the ICS2 have issued statements declaring that VVAT is necessary for trustworthy electronic voting.
ADDITIONAL CONCERNS
When testing a car, mechanics would never examine individual parts without testing the car as a whole. Such an approach is inherently prone to errors, but it is analogous to the manner in which the Nedap/Powervote electronic voting system has been tested.
While concerns over improper testing are incidental to the fatal lack of a VVAT, we are nonetheless submitting additional evidence in this regard. This is done to highlight relevant, realistic weaknesses which may affect electronic voting systems in general and, more specifically, the chosen system.