Australian electoral legislation amendments leave door open to electronic voting

Researcher Vanessa Teague has found the legislation in front of Parliament could pave the way for an insecure electronic voting system.

Australia's Electoral Legislation Amendment (Miscellaneous Measures) Bill 2020 is currently before the House of Representatives Electoral Matters Committee to review the changes put forward by Minister for Finance Mathias Cormann.

The changes within the Bill [PDF] would amend the Commonwealth Electoral Act to modify electoral donation and disclosure laws and "address anomalies" in entity registration and public election funding rules; as well as the intention to improve electoral processes, electoral administration, vote issuing procedures, and improve workforce flexibility for the Australian Electoral Commission (AEC).

But as cryptographer Dr Vanessa Teague highlighted late Monday, by way of introducing the capability to expand electronically assisted voting methods to Australians working in Antarctica, the Bill somewhat forces the AEC to accept internet voting.

While legislation currently allows for electronic voting to be performed by those with vision impairment, the Bill seeks to replace the phrase "sight-impaired people to vote by an electronically assisted voting method" with "an electronically assisted voting method to be used by sight-impaired people to vote".

It also includes the directive that the "regulations must provide for an electronically assisted voting method to be used by Antarctic electors to vote at general elections, Senate elections, and by-elections".

And at subsection 73M, the Bill seeks to add "the regulations must provide for an electronically assisted voting method to be used by Antarctic electors to vote at referendums".

See also: Tech-augmented democracy is about to get harder in this half-baked world

According to Teague, one of the objectives of the amendment is to force the AEC to introduce internet voting, saying "there are no requirements for transparency, security, or verification".

"Existing electoral law allows for 'electronically assisted voting' for sight-impaired voters, which [the AEC] has implemented previously as computer-assisted voting in a polling place. I'd fully support that if voters could verify a paper record of their vote," she tweeted.

"But the Bill *forces* [the AEC] to implement something for both vision-impaired and Antarctic voters. Though it doesn't explicitly mandate paperless Internet voting, it seems very hard to comply with otherwise."

Teague was part of the group of researchers that last year poked holes in the Swiss Internet voting system, which was the same system used by the NSW Electoral Commission's iVote.

iVote was purchased from Scytl Australia, a subsidiary of Barcelona-based election technology vendor Scytl Secure Electronic Voting, and is based on the system used by SwissPost.

In March 2019, Teague and her colleagues, Sarah Jamie Lewis and Olivier Pereira, found a flaw in the proof used by SwissPost system to prevent electoral fraud. Later that month, they detailed a second flaw that could be exploited to result in a tampered election outcome.

In July, NSWEC ordered Scytl to release parts of the source code in a bid to prove it contained no further vulnerabilities.

Vulnerabilities were then found by Teague in November.

The company was reported by local media as going into liquidation at the end of May, with discussions on its future still underway.

"I can't even imagine what they'd use if they wanted to, since the company that makes the NSW iVote system just went into liquidation … (which is a good thing for the democracies of the world)," Teague said.

"The NSW Electoral Commission understands that the supplier of its iVote software, Scytl, is presently involved in a sale process in Spain. Queries about the status of that sale should be directed to Scytl," a spokesperson told ZDNet. "The NSWEC is monitoring the situation and, to date, it has had no impact on the use of iVote."

The NSWEC spokesperson also said it has published several reports which address iVote security.

The committee is accepting submissions until 3 July 2020.

RELATED COVERAGE