NSW e-voting shuns perfection for good, practical security
The design and verification of the New South Wales Electoral Commission's electronic voting system, iVote, will help ensure the integrity of the votes at the next election, NSW EC CIO Ian Brightwell has said.
The iVote system was originally implemented ahead of the 2011 state election for vision-impaired voters, and those living in rural areas that have difficulty reaching polling places. Voters are provided a 6-digit PIN in one letter, and an 8-digit iVote number separately via email, SMS, or phone, to enable access to the iVote system.
The votes were stored in central servers in two datacentres and printed at the close of polls for manual counting. Take-up in 2011 was much higher than the 10,000 expected, with 46,864 voters using the iVote system.
Following recommendations from the NSW Parliament, Scytl was awarded an AU$1.9 million contract to support the iVote system's core voting platform ahead of the 2015 state election, where it is expected up to 100,000 people will vote using the system.
To overcome concerns from the public that a vote may be compromised in an electronic voting system, Brightwell — a 15-year Electoral Commission veteran — admitted that no system could ever be hack-proof, but said there were a number of security and verification measures both — technical and non-technical — that were in place to verify votes placed.
"iVote itself is not a system that is immune to being hacked. If you learn anything from going to these conferences, it is that broadly speaking, everything can be hacked," he told ZDNet.
"There isn't such a thing as a system that can't be broken. The question is really, is the risk significant given the threat environment relative to what you're trying to do and the consequence of failure?"
In addition to the traditional firewalls, monitoring, and other security measures, the voter themselves can verify the vote was as cast. The vote itself is encrypted at the browser level and sent to two separate servers, one for the ballot box, and one for verification.
"That means if you're going to tamper with the vote, you must tamper with both votes because that's the only way you won't be detected when we do a comparison downstream," Brightwell said.
"If you tamper with both votes, then the vote that is sent to the verification server, won't be the same as the vote you submitted, so the person who verifies their vote will say they didn't vote that way.
"In that case we will delete their vote and give them another vote."
To protect anonymity, a third, separate server handles the identification of an individual voter to ensure that a person's vote is not tied to their personal details.
"We can't, and can never, tell how someone actually voted, but we're confident the list of votes we have actually reflects the votes each individual cast," Brightwell said.
The core server will reside in the NSW government's datacentre, while the registration system sits on existing NSW Electoral Commission servers. Brightwell said that the verification system's location had yet to be determined because the contract for the verification system had yet to be awarded. He said the idea would be to have complete data segregation.
"We want to maintain data segregation and independence of control and management over that data. So if you have an allegation that we could have tampered with that vote without somebody knowing, what you're in fact saying is for us to successfully have done that, there would have to be a conspiracy, we would have been working with other parties."
Another less technical security measure is that only roughly 10 percent of voters are expected to use the electronic voting system, and Brightwell said it is not intended to be a complete replacement for the paper-and-pencil voting method. He said that if there are massive discrepancies between the electronic vote count and the paper vote count, this would be a sign that the system had been compromised.
He said that the voters taking up electronic voting either tended to be young people in their 20s travelling overseas, or grey nomads travelling around Australia, and this meant that electronic voters tend to vote relatively similar to the broader electorate.
The NSW Electoral Commission recruited CSC to provide a strategic threat assessment for the new system, and the company's director of global practice management for global cyber security Clinton Firth co-presented with Brightwell on the iVote system at AusCERT last week. The IT security strategy put in place following CSC's assessment will also help to identify potential threats to the iVote system.
One of the commonly-proposed methods to ease security fears around electronic voting is to make the system's software open source to allow the public to verify that it is up to the task. Brightwell said that the NSW Electoral Commission is open to showing the source code to people with the skills and knowledge to verify the system, but is reluctant to make the source code completely public.
"Just providing source code on the internet for people to review isn't actually going to get you much of an outcome, because the only people who can truly review that source code, build the system, and test it are people with significant skills, and quite frankly, quite a bit of time on their hands," he said.
"We'd be delighted to have those people to do that exact task. What we're not so delighted with is people who are somewhat less skilled and knowledgeable actually asking lots of questions and taking up time of very valuable resources with no obvious benefit."
"So we're kind of reluctant to make it publicly available in the sense of available to anyone."
The system equates roughly to AU$20 or AU$30 per vote in cost to run, but Brightwell said that this could, over time, come down to between AU$5 and AU$10, significantly lower than the cost of handling absentee votes, but he stressed that cost was not a driver in delivering an electronic voting system.