A secure democratic Net is a fundamental right

We will likely have federal elections june the 13th for a reason that is quite hard to explain - even Belgians don't understand too much about it :)

The interesting thing is that a great number of great cities and smaller voting districts will organize it by computer.

What is interesting to know is that

* the hardware is from the nineties

* the software is old legacy code that has to be rewritten each time - in case we will know how the voting districts will be organised because there is still some discussion about that ....

* the parliamentary or democratic control on the way these electronic elections work is not really professional (if you click on the button evoting you will read more about evoting in Belgium).There are only a few supervisors dispatched from the parliament for the whole of the disctricts where electronic elections are held.

* the machines are installed in public places overnight, it is not clear if all those places are protected during that time

* the maintenance and the incident handling is done by a private firm and the technical supervision before, during and after the installation and is minimal, the supervisors in the voting places have not really a technical formation about how to supervise such an installation

* the last time there were a few incidents but the parliamentary reports about the electoral process are written by consensus and hardly debated in the parliament or the press. It is not a cover up but you have to read between the lines and know what it exactly means or what should have been done or not.

The situation is so dramatic that the Minister of Interior for the Flemish region, Mr Bourgeois, has declared that he is very worried because several cities have already said that they have found some problems while testing the old infrastructure.

This doesn't mean that the new model of evoting which should be tested should be installed as such. There is too little democratic control and oversight in the Belgian evoting process to be sure that nothing can go wrong. Off course it is only by limiting the number of elections that the interest of our citizens for the electoral process will increase. Having to vote 6 times in 8 years is really too much and is not good for anybody - and surely not the democracy and policy. Living with the fear and probability that you will have another electoral process or atmosphere in a year or so just makes any courageous policy or compromise impossible.

The source codes for the evoting in Belgium is public now. If you find interesting things please let us know.

Digivote  De broncodes van de geautomatiseerde stemming (zip)

Jites  De broncodes van de geautomatiseerde stemming (zip)

this has already been found in the code as a comment

./VOTE/HLC/SRC/GENLIB.C: // :TODO: avn 20050225 - way to easy for hackers to get at very sensitive data
./VOTE/HLC/SRC/LOGGING.C: // :TODO: avn 20050225 - way to easy for hackers to get at very sensitive data

It is not clear if the issue has been fixed......

auditing this software and the evoting process is process that is not really transparent and independent around here. For example it is the firm that writes the code that selects from a list of three the firm that will do the audit. Should I repeat this or would you like to reread it aloud to be sure that this is true ? Yes, I repeat the firm that writes the code selects itself the firm that will do the socalled independent audit from a list of three firms. Yes, this is called independent audit around here....

according to the articles in the press, really simple

you just put your voting card upside wrongly in the cardreader

and everything freezes

and let the fun begin

oh but I didn't see that paper showing how to put my card in

how stupid of me

or from the developers ?

Yesterday there were elections in Belgium. In some cities these elections were electronic, in others they were on paper. The electronic elections had about 400 incidents (on 25.000 machines).

In Belgium you could vote for the regional parliaments and for the European parliament. In Belgium citizens of the EU could vote only for the European parliament. In Brussels the vote was electronic.

Now it seems that in at least 3 cases citizens of the EU who could vote for the European parliament but not for the regional Brussels parliament had the screen to vote for the Brussels Parliament after they had voted for the European parliament. They said they used that vote, even if they normally couldn't.

This means that more people can have voted for the Brussels parliament than those that legally could have. SO these votes were illegal. It is not clear yet if there has been a control and how these votes have been cleaned out. This should have been done by taking the number of Belgian voters and the number of votes for the Brussels parliament. These should have been equal. It is not clear yet if this is the case and if it isn't if the difference could have made a difference.

With paper votes it is simple. You give the voting bulletins according to the status of the voter who presents himself. No voting bulletins for EU citizens for the regional parliaments. With electronic voting there is always something that can go wrong somewhere and there is nobody to check it. It should be checked. Because in any election any mistake should be checked and corrected. There is nothing worse for democracy than doubts about the legitimacy of the results.

As there are so few controls and supervisors (and activists) one should control this now. Because if this was possible with 3 voters how many others did also vote without having the right to that we don't know about ? Especially in Brussels and the provinces around it where the number of EU citizens is quite high.

The 7th of June the whole of the Belgian adult population should cast its vote. Part of it will be electronically and part of it on paper. The paper vote is a process that is known and tested. The electronic vote is a process that is hidden and not tested.

* the code is very old - as many of the machines

* the auditors of the preparation process are civil servants from the federal parliament who will make a report that will be neglected afterwards but that already gave some interesting reading about the last elections. They have all to agree on the conclusions so will not find dissent opinions in the text and you will have to read between the lines. They have not much support nor a budget to do this professionally even if they try to do their utterbest. The process stinks but that is not their fault.

* the auditor of this old code and the way it is adapted for the new election is CHOSEN by the FIRM that has won the market. Yes, you read it right, the firm that has to be audited choses the auditor itself from a shortlist. If you find this incredible you are not the only one but hey this is belgium, ceci n'est pas une pipe (so this is not an audit)

* during the election day itself the few parliamentarian auditors run around like crazy but as Belgium is too big they are in fact running around in circles, except if somewhere problems are noted that are so grave that their presence is needed. There are no public watchers and the thousands of chinese volunteers that are working in the voting booths have received very rudimentary information and procedures. In fact it are IBM elections because that firm is technically responsable for these elections. I am not saying that they are manipulating these elections, I am just saying that there are too few people knowing what to do and how to control when something is going wrong or being repared to be an open process.

There is a big story developing in evoting in the US and the difference is again in the details.

In a small county in a rural state the responsable organizers of the elections between 2004 and 2006 receive some new evoting software and hardware.

While they are doing the tests, they see that it is very simple to confuse the user to think that he has voted when he sees a screen popup vote and that if they could convince the voter that it is over and that he has to leave to voting booth (because there are people waiting) he resets the machine but in fact he changes the votes if necessary because it is only a CONFIRMATION ASKED screen.

To make it all work, they have to be all in it together. THe supervisors, the organisers, the counters and the election workers, but hey it is a small county and there is some money to be made.

So they go to their candidates and ask them money for this guaranteed victory. TO be sure they pay some people to vote accordingly in the preliminary voting period (in which many controls are absent).

I am not sure how it was discovered (and the sums are quite small) but they will all end up in jail.

But what is most interesting is that this social engineering attack (or user interface mistake) was a zero day that was discovered by others who didn't report but used it to their advantage (for some time).

So two questions remain

* shouldn't we when testing evoting procedures and installations more work/attack through scenario's and scheme's instead of a list of things to check ?

* how many more zero days are there out there in the evoting process ?

OSCE begins monitoring the evoting process in the US that will be the biggest ever e-lection in the developed world (without population register or national ID either - imagine)

These documents are a good preparation

This is why Obama needs to win by a landslide so the difference isn't decided on technical and legal discussions like in 2000 and 2004.

http://www.esat.kuleuven.be/~decockd/slides/electronic.vo...

but as we always say - the problems are in the details not in the presentations, presentations aren't detailed enough to take into consideration the possible problems.

The last two elections were a hell of problems, lawyers and voting technologies that seem to be problematic coupled with democratic questions about the number of people that were allowed to vote or that practically couldn't vote because the infrastructure was not present to accomodate them all.

http://www.866ourvote.org/real-stories/ 

and another series that are in this letter from this representative 

http://judiciary.house.gov/News/PDFs/Conyers-Nadler-Sanch...

how volunteers audit polling stations and voting technology and procedures

http://www.counttheballots.org/audits.htm