[This article was amended on 2nd April 2014 to include new comments from the NSW Electoral Commission regarding claims made by security researchers.]
Australia may lag behind the French when it comes to competitively priced cheese, wine and real estate but it seems we’re trumping our Gallic friends in one area at least: electronic voting.
Scytl, the Spanish company behind the NSW election electronic voting system iVote, is already spruiking its benefits, proclaiming last week’s state election set a new world record for online voting.
More than 280,000 electronic votes were cast in the NSW election – five times greater than in the NSW 2011 election – which Scytl said represented a “staggering increase” in online votes and the largest government binding online voting election result in the world.
The state’s closest competitor was France where 240,000 electronic votes were cast by French people living abroad when they elected members of the French national parliament.
To be eligible to use iVote voters must be vision impaired, have reading difficulties, live more than 20 kilometres from a polling station or be absent from the state on election day.
But despite Scytl’s claim that “auditors, security experts and citizens” have heaped praise onto iVote there were some concerning glitches in this year’s electronic voting, one of which may yet result in a legal challenge.
Before election day, iVote was forced offline for a few hours after the Animals Justice Party and the Outdoor Recreation Party were omitted from the ‘above the line’ section of the Upper House ballot paper. Nearly 20,000 people voted with the incorrect ballot paper before the error was spotted by an Outdoor Recreation Party member. The NSW Electoral Commission later said the omission was due to human error and the Animal Justice Party is considering a legal challenge.
Days later, Melbourne University computer security researchers – known electronic voting sceptics and members of an anti-internet voting group in the US – declared that they had identified a ‘Man in the Middle’ security vulnerability on a publicly available “practise” version of the iVote system used as a test bed ahead of the live vote.
You can read how they did it here.
The researchers went on to criticise the Commission for not understanding “the serious implications of this attack”.
Researchers Dr Vanessa Teague and Professor J Alex Halderman said the Commission’s claim that the system was inviolable did not stack up.
“The problem was a direct consequence of faulty design in the iVote system, particularly the decision to include code from an external source,” they said.
“Its effect was to allow an attacker to modify votes, which shows the NSW Electoral Commission’s past claim that the vote was “fully encrypted and safeguarded [and] can’t be tampered with” to be false.”
“Just because they’ve patched this particular bug that they’ve been specifically notified of does not mean that they’ve fixed the fundamental questions around the security and verifiability of the system,” Dr Teague added.
With the State poll out of the way, the NSW Electoral Commission is responding more fully to the security claims that were dropped on it around election eve and it’s clearly unimpressed by the timing and tactics of the vulnerability disclosure.
“The Commission takes the security of all its systems, including iVote, very seriously,” a response from the Commission says. “While we welcome constructive comment, we are disappointed with the fact that Dr Teague and Dr Halderman have not disclosed to the public and the media their affiliation with an anti-internet voting lobby group in the USA and they did not provide their report to the Commission prior to releasing it to the media.”
The rollout of online and e-voting technology is a lightning-rod issue in jurisdictions that have voluntary or non-compulsory, especially the United States, because it has the potential to change election dynamics.
The Commission’s Chief Information Officer Ian Brightwell said in a statement at the time that the researchers did not provide any evidence of an actual breach of the iVote system and he was confident the problem had been fixed and the system was safe.
“With all voting systems, whether they’re paper of electronic, you have to have a certain degree of trust in your processes; the reality is we can’t guarantee across the board any of our votes in a way that would be absolutely definitive,” Mr Brightwell said.
“We are confident however that the system is yielding the outcome that we actually initially set out to yield, and that is that the verification process is not telling us any faults are in the system.”
Comment below to have your say on this story.
If you have a news story or tip-off, get in touch at firstname.lastname@example.org.
Sign up to the Government News newsletter