The Times: Tech column - E-voting risks
By David Rowan
GOOD news for anyone looking to fix a future British election: next Monday the Electoral Commission will announce where millions of citizens will be able to vote electronically for their MEPs next June via the internet, digital TV, the telephone or text messaging. The Government sees this expansion of "e-voting" as an important step towards our first full electronic general election, eagerly promised "some time after 2006". Why, then, are computer-security experts warning that even the best technology will throw such an election open to high-tech fraud?
IT experts in universities on both sides of the Atlantic are uneasy about the e-voting systems being implemented in Britain. Some systems, developed in the United States, stand condemned as "open to wholesale vote fraud". Others, used here in last May's local elections, allegedly contain "substantial flaws" that could alter the legitimate result. The perils range from possible interference by a determined hacker to a rogue programmer's ability to write "malicious" software to favour one party. The commercial companies supplying the technology for UK election pilots say that security is their priority. But growing evidence is emerging that some of these have covered up security flaws in the past.
Whistleblowers in the US allege that they have been fired for pointing out software problems. Independent researchers claim that the companies' lawyers have sought to silence them. Yet because these firms tend to keep their software secret "for commercial reasons", often no independent way exists to assess the risks.
Occasionally, though, a shard of light is cast on the possibilities. Diebold, a US company whose e-voting machinery has been used here, refuses to make its software available for public scrutiny. But last winter some Diebold programming code was found on an unprotected website, and passed to computer scientists at Johns Hopkins University. Their analysis suggests that a teenager could beat the system using equipment bought cheaply over the internet. Voters could cast unlimited votes without being detected, and votes could be overwritten in the system's logs.
This might all be dismissed as academic theorising, were it not for some strange happenings in US elections involving electronic voting. In Baldwin County, Alabama, the governorship was handed from a Democrat to a Republican after 6,300 votes changed overnight from one party to another. In the Georgia governor's race last year, a Republican was declared the surprise winner after Diebold applied a last-minute "patch" to its e-voting machines. A long list of similar incidents does not inspire confidence about the integrity of e-voting in the US especially when some of the companies involved have close Republican Party links, prompting all sorts of conspiracy theories. The UK electoral system is, of course, far too robust to allow anything so foreign as rogue software or hanging chads to taint our faith in democracy. Still, if Mr Blair insists on rushing towards e voting, he must ensure that any software companies awarded contracts make their computer code available for independent scrutiny, and that every time a computerised vote is cast, a paper copy is printed to let voters know that ballots have been recorded as intended. Because although technology can certainly help to reinvigorate the electoral process, it will take just one security breach to undermine public confidence irreparably.
(The Times, December 2 2003)
GOOD news for anyone looking to fix a future British election: next Monday the Electoral Commission will announce where millions of citizens will be able to vote electronically for their MEPs next June via the internet, digital TV, the telephone or text messaging. The Government sees this expansion of "e-voting" as an important step towards our first full electronic general election, eagerly promised "some time after 2006". Why, then, are computer-security experts warning that even the best technology will throw such an election open to high-tech fraud?
IT experts in universities on both sides of the Atlantic are uneasy about the e-voting systems being implemented in Britain. Some systems, developed in the United States, stand condemned as "open to wholesale vote fraud". Others, used here in last May's local elections, allegedly contain "substantial flaws" that could alter the legitimate result. The perils range from possible interference by a determined hacker to a rogue programmer's ability to write "malicious" software to favour one party. The commercial companies supplying the technology for UK election pilots say that security is their priority. But growing evidence is emerging that some of these have covered up security flaws in the past.
Whistleblowers in the US allege that they have been fired for pointing out software problems. Independent researchers claim that the companies' lawyers have sought to silence them. Yet because these firms tend to keep their software secret "for commercial reasons", often no independent way exists to assess the risks.
Occasionally, though, a shard of light is cast on the possibilities. Diebold, a US company whose e-voting machinery has been used here, refuses to make its software available for public scrutiny. But last winter some Diebold programming code was found on an unprotected website, and passed to computer scientists at Johns Hopkins University. Their analysis suggests that a teenager could beat the system using equipment bought cheaply over the internet. Voters could cast unlimited votes without being detected, and votes could be overwritten in the system's logs.
This might all be dismissed as academic theorising, were it not for some strange happenings in US elections involving electronic voting. In Baldwin County, Alabama, the governorship was handed from a Democrat to a Republican after 6,300 votes changed overnight from one party to another. In the Georgia governor's race last year, a Republican was declared the surprise winner after Diebold applied a last-minute "patch" to its e-voting machines. A long list of similar incidents does not inspire confidence about the integrity of e-voting in the US especially when some of the companies involved have close Republican Party links, prompting all sorts of conspiracy theories. The UK electoral system is, of course, far too robust to allow anything so foreign as rogue software or hanging chads to taint our faith in democracy. Still, if Mr Blair insists on rushing towards e voting, he must ensure that any software companies awarded contracts make their computer code available for independent scrutiny, and that every time a computerised vote is cast, a paper copy is printed to let voters know that ballots have been recorded as intended. Because although technology can certainly help to reinvigorate the electoral process, it will take just one security breach to undermine public confidence irreparably.
(The Times, December 2 2003)
<< Home