Some Victorians who vote early in the upcoming State Election will be using the world's most sophisticated electronic-voting technology.
They will also be part of democratic history, participating in Australia’s first end-to-end verifiable electronic voting system. It’s only the second time in the world that voters in a binding government election will have the opportunity to log on and verify that their electronic vote is cast as they intended and properly included in the count. (The first time was in Maryland, USA, in 2009.)
The e-voting system, designed by an international team of researchers from Surrey (UK), Melbourne and Luxembourg, is based on system called Pret à Voter.
The system will be available in some polling places in Victoria and overseas, and includes special features to help voters who find it hard to cast a vote with pencil and paper (SEE VEC explainer on who can e-vote and how below).
As useful as e-voting may be for many voters, it also brings its own suite of potential problems. How do we make sure it is secure? That the e-vote is registered accurately by the computer, and transmitted accurately to where it will be counted, and accurately included in the count?
If you’re not worried about electronic voting, you should be. Studies both in Australia and overseas have shown systems used in real elections to have been subject to serious security vulnerabilities. See for example the California Top to Bottom review and the NSW iVote system.
This is despite the systems having been “certified” by various security experts. This is serious because a weakness in a voting system is potentially an avenue for electoral manipulation, either by mis-recording the votes, or by modifying or miscounting them later.
Elections have to produce evidence that the announced outcome is correct. With paper ballots, parties provide scrutineers who check the counting of votes. How do we do that for electronic voting?
Electronic voting systems in Tasmania and WA take the simple approach of printing out a paper record that goes into a ballot box along with the ordinary paper votes. This provides computerised help for voters who need it, while also giving them the chance to check that their vote is cast as they intended. Scrutineers can watch the paper count as usual. This system has a lot to recommend it, but it doesn’t solve the separate problem of how to transport paper votes securely.
In the new Victorian Electoral Commission system, a voter will begin as usual, by coming to a polling place and answering the usual questions about their name and address, and whether they have voted already that day.
For those voters eligible to vote electronically - and note that this option will only be available for early voters, and not on polling day 29 November - the main ambition of the verifiable system is to give them assurance that their ballot accurately reflects their intentions and has gone properly into the count, without potentially exposing their vote to someone else.
Here’s how it works:
For each e-voter, officials print out a special ballot form that contains a randomly ordered list of all the candidates. (Shown on the left side of the picture.) The order is generated afresh (probably differently) for each voter. There is a QR code on the candidate list, along with a serial number that links to an online, encrypted version of that randomly-ordered candidate list.
Now the voter sits down at the voting station, which is a computer (a tablet PC) in a private booth, equipped with a printer and a QR code reader. The voter holds the QR code on the candidate list to the computer scanner, which will tell the computer the particular order of this voter’s candidates.
The voter tells the computer how he or she wants to vote. Then the computer prints out the serial number, plus their preference numbers, arranged to align with their particular candidate order. It also sends this same information into the central tally.
The voter checks that the printed preference receipt lines up the preferences correctly with the candidates he or she has chosen, then shreds the candidate list.
The crucial trick is that randomly-ordered candidate list allows the voter to check that the preferences receipt truly indicates the vote they intended, but the preference receipt itself reveals nothing about how they voted. The reason the candidate list is randomised is to protect the voter’s privacy. After voting, the voter will walk out holding only their serial number and their list of preference numbers, arranged to align with their particular candidate order BUT WITHOUT THE CANDIDATE ORDER, which they will destroy.
They can take the preferences receipt home and use it to verify online that their vote went correctly into the electronic vote list. (Scrutineers still have to check that the electronic votes were properly incorporated into the paper hand count.)
Hence all the apparatus is there for the system to be technically “verifiable”, but that’s not much use if nobody bothers to verify it. If you want evidence that your vote is cast as you intended and properly included in the count, you have to do some work.
How to verify your electronic vote:
(Optional, before voting): Download a BLS Signature Checking app from Google Playstore, or write your own. (EDITOR'S NOTE: this link is not yet available but we will update when it is). This will allow you to check the digital signatures on printouts, which provides evidence that the data came from the right place.
Once at the voting place, you’ll start with your unique list of candidate and group names printed on paper (as explained in the process above). This is not a ballot but mechanism to protect your voting privacy. The voting machine will help you to put the preferences you choose beside the groups or candidate names.
The candidate list printout contains:
• a lower-house electoral district name (which also determines the upper-house electoral region),
• a randomly ordered list of the candidate names for the lower house,
• a list of group names (for above the line “ticket” voting in the upper-house),
• a randomly ordered list of the candidate names for the upper house (for below-the-line “individual candidate” voting in the upper-house),
• a QR code containing all this data, plus a digital signature.
• a serial number, which should match the one on the first form, and points to an online, encrypted version of all this data
CHECK ONE: So how do you know that the QR code really contains the same information as the printed names on the candidate list? You can check! This is called “ballot confirmation”, a process which is optional but highly recommended. You just ask the computer that printed it for confirmation that the ballot is properly formed – that is, that the list of candidate names matches the encrypted electronic instructions to the computer.
Note that if you do run a confirmation check on a candidate list, you then have to get a new candidate list. You can’t vote with a form that you’ve confirmed, because that would allow you to prove how you voted. You can, however, confirm the correctness of as many candidate lists as you like before you decide they’re OK and you can confidently vote on the next one.
How to process your vote:
Show the QR code on the candidate list to the computer, then start voting using the computer. When finished, the computer prints:
• the electoral district,
• the serial number,
• your voting preferences arranged to put the right numbers beside the right candidates on the printed list,
• a QR code with this data, plus a digital signature.
This is called a preferences receipt. (An example can be seen in the picture above, on the right.)
CHECK 2: Put the preferences receipt beside your candidate list and check that it printed the preferences you wanted beside the candidate or group names. Also check that the districts and Serial Numbers match.
CHECK 3: (For those with the BLS signiture checking app) Check the signature in the QR code; shred the candidate list; leave the polling place with the printed preferences receipt. It doesn’t reveal anything about how you voted, because nobody else knows your candidate order. However, you can use it later to check that your vote was included unmodified in the count.
CHECK 4: Find your preferences receipt in the online list of accepted votes. Check the serial number and the order of your preference numbers.
After polling closes, anyone can verify the mathematical proof that all submitted votes are properly shuffled and decrypted. You can download the VEC’s verification app (or write your own).
You can also download the source code from here or the tech report from here. You can read as much as you like about as many of the system details as you care to.
The author, Vanessa Teague, was part of the expert team that produced the verification protocol for the vVote system. The protocol was produced by a team at the University of Surrey, based on a design by Chris Culnane, James Heather and Steve Schneider (University of Surrey), Peter Ryane (University of Luxembourg) and Vanessa Teague (University of Melbourne).