A secure democratic Net is a fundamental right

We will likely have federal elections june the 13th for a reason that is quite hard to explain - even Belgians don't understand too much about it :)

The interesting thing is that a great number of great cities and smaller voting districts will organize it by computer.

What is interesting to know is that

* the hardware is from the nineties

* the software is old legacy code that has to be rewritten each time - in case we will know how the voting districts will be organised because there is still some discussion about that ....

* the parliamentary or democratic control on the way these electronic elections work is not really professional (if you click on the button evoting you will read more about evoting in Belgium).There are only a few supervisors dispatched from the parliament for the whole of the disctricts where electronic elections are held.

* the machines are installed in public places overnight, it is not clear if all those places are protected during that time

* the maintenance and the incident handling is done by a private firm and the technical supervision before, during and after the installation and is minimal, the supervisors in the voting places have not really a technical formation about how to supervise such an installation

* the last time there were a few incidents but the parliamentary reports about the electoral process are written by consensus and hardly debated in the parliament or the press. It is not a cover up but you have to read between the lines and know what it exactly means or what should have been done or not.

The situation is so dramatic that the Minister of Interior for the Flemish region, Mr Bourgeois, has declared that he is very worried because several cities have already said that they have found some problems while testing the old infrastructure.

This doesn't mean that the new model of evoting which should be tested should be installed as such. There is too little democratic control and oversight in the Belgian evoting process to be sure that nothing can go wrong. Off course it is only by limiting the number of elections that the interest of our citizens for the electoral process will increase. Having to vote 6 times in 8 years is really too much and is not good for anybody - and surely not the democracy and policy. Living with the fear and probability that you will have another electoral process or atmosphere in a year or so just makes any courageous policy or compromise impossible.

The source codes for the evoting in Belgium is public now. If you find interesting things please let us know.

Digivote  De broncodes van de geautomatiseerde stemming (zip)

Jites  De broncodes van de geautomatiseerde stemming (zip)

this has already been found in the code as a comment

./VOTE/HLC/SRC/GENLIB.C: // :TODO: avn 20050225 - way to easy for hackers to get at very sensitive data
./VOTE/HLC/SRC/LOGGING.C: // :TODO: avn 20050225 - way to easy for hackers to get at very sensitive data

It is not clear if the issue has been fixed......

auditing this software and the evoting process is process that is not really transparent and independent around here. For example it is the firm that writes the code that selects from a list of three the firm that will do the audit. Should I repeat this or would you like to reread it aloud to be sure that this is true ? Yes, I repeat the firm that writes the code selects itself the firm that will do the socalled independent audit from a list of three firms. Yes, this is called independent audit around here....

according to the articles in the press, really simple

you just put your voting card upside wrongly in the cardreader

and everything freezes

and let the fun begin

oh but I didn't see that paper showing how to put my card in

how stupid of me

or from the developers ?

Yesterday there were elections in Belgium. In some cities these elections were electronic, in others they were on paper. The electronic elections had about 400 incidents (on 25.000 machines).

In Belgium you could vote for the regional parliaments and for the European parliament. In Belgium citizens of the EU could vote only for the European parliament. In Brussels the vote was electronic.

Now it seems that in at least 3 cases citizens of the EU who could vote for the European parliament but not for the regional Brussels parliament had the screen to vote for the Brussels Parliament after they had voted for the European parliament. They said they used that vote, even if they normally couldn't.

This means that more people can have voted for the Brussels parliament than those that legally could have. SO these votes were illegal. It is not clear yet if there has been a control and how these votes have been cleaned out. This should have been done by taking the number of Belgian voters and the number of votes for the Brussels parliament. These should have been equal. It is not clear yet if this is the case and if it isn't if the difference could have made a difference.

With paper votes it is simple. You give the voting bulletins according to the status of the voter who presents himself. No voting bulletins for EU citizens for the regional parliaments. With electronic voting there is always something that can go wrong somewhere and there is nobody to check it. It should be checked. Because in any election any mistake should be checked and corrected. There is nothing worse for democracy than doubts about the legitimacy of the results.

As there are so few controls and supervisors (and activists) one should control this now. Because if this was possible with 3 voters how many others did also vote without having the right to that we don't know about ? Especially in Brussels and the provinces around it where the number of EU citizens is quite high.

The 7th of June the whole of the Belgian adult population should cast its vote. Part of it will be electronically and part of it on paper. The paper vote is a process that is known and tested. The electronic vote is a process that is hidden and not tested.

* the code is very old - as many of the machines

* the auditors of the preparation process are civil servants from the federal parliament who will make a report that will be neglected afterwards but that already gave some interesting reading about the last elections. They have all to agree on the conclusions so will not find dissent opinions in the text and you will have to read between the lines. They have not much support nor a budget to do this professionally even if they try to do their utterbest. The process stinks but that is not their fault.

* the auditor of this old code and the way it is adapted for the new election is CHOSEN by the FIRM that has won the market. Yes, you read it right, the firm that has to be audited choses the auditor itself from a shortlist. If you find this incredible you are not the only one but hey this is belgium, ceci n'est pas une pipe (so this is not an audit)

* during the election day itself the few parliamentarian auditors run around like crazy but as Belgium is too big they are in fact running around in circles, except if somewhere problems are noted that are so grave that their presence is needed. There are no public watchers and the thousands of chinese volunteers that are working in the voting booths have received very rudimentary information and procedures. In fact it are IBM elections because that firm is technically responsable for these elections. I am not saying that they are manipulating these elections, I am just saying that there are too few people knowing what to do and how to control when something is going wrong or being repared to be an open process.

There is a big story developing in evoting in the US and the difference is again in the details.

In a small county in a rural state the responsable organizers of the elections between 2004 and 2006 receive some new evoting software and hardware.

While they are doing the tests, they see that it is very simple to confuse the user to think that he has voted when he sees a screen popup vote and that if they could convince the voter that it is over and that he has to leave to voting booth (because there are people waiting) he resets the machine but in fact he changes the votes if necessary because it is only a CONFIRMATION ASKED screen.

To make it all work, they have to be all in it together. THe supervisors, the organisers, the counters and the election workers, but hey it is a small county and there is some money to be made.

So they go to their candidates and ask them money for this guaranteed victory. TO be sure they pay some people to vote accordingly in the preliminary voting period (in which many controls are absent).

I am not sure how it was discovered (and the sums are quite small) but they will all end up in jail.

But what is most interesting is that this social engineering attack (or user interface mistake) was a zero day that was discovered by others who didn't report but used it to their advantage (for some time).

So two questions remain

* shouldn't we when testing evoting procedures and installations more work/attack through scenario's and scheme's instead of a list of things to check ?

* how many more zero days are there out there in the evoting process ?

OSCE begins monitoring the evoting process in the US that will be the biggest ever e-lection in the developed world (without population register or national ID either - imagine)

These documents are a good preparation

This is why Obama needs to win by a landslide so the difference isn't decided on technical and legal discussions like in 2000 and 2004.

http://www.esat.kuleuven.be/~decockd/slides/electronic.vo...

but as we always say - the problems are in the details not in the presentations, presentations aren't detailed enough to take into consideration the possible problems.

The last two elections were a hell of problems, lawyers and voting technologies that seem to be problematic coupled with democratic questions about the number of people that were allowed to vote or that practically couldn't vote because the infrastructure was not present to accomodate them all.

http://www.866ourvote.org/real-stories/ 

and another series that are in this letter from this representative 

http://judiciary.house.gov/News/PDFs/Conyers-Nadler-Sanch...

how volunteers audit polling stations and voting technology and procedures

http://www.counttheballots.org/audits.htm

You must think that I am crazy but in several states the US has started voting. This can be done by mail or in voting offices.

In fact there is no US election, there are elections for the US president in each US state organised by the State the way the State wants to organize it. There are a few reglementations and norms, but they still leave a lot of leverage and freedom to the states themselves. It is for this reason that voting starts and ends at different dates/hours in states and that the voting technology or ways in which you can vote differs also from state to state and sometimes even withing states. And this accounts for each part of the voting process.

We have seen the troubles in 2000 in Florida by which the Democrats had the feeling that the election had been stolen by lawyers and the threat of institutional chaos by Bush. We have seen the troubles in Ohio in 2004 by which some democrats think that the election had also be stolen. So you can expect the Democrats and the activists to be on their guard and to report and treat each incident with all the attention it may need. You can be sure that there are hundreds of lawyers (freelance or paid) that are on standby and have instructions or plans to follow up on each problem.

For the Europeans you should smile and think that those stupid Americans aren't capable of organizing their own presidential election in a decent way. First you have no president but a commissar. Secondly the election for your European parliament is a democratic joke if you take into the account the totally different ways in which they are organised and controlled across the EU.

So back to the US. The Democrats have learned that an advantage in the polls is a smokescreen and that even with that advantage you can still lose 2 elections on election night (or the weeks of legal battle afterwards). The Republicans know that they have won 2 elections the hard way and that it is never too late to win another.

And as the polls are going in every direction and as the primaries have shown that a certain part of the electorate at the very last moment may possible not be able to give their vote to Obama in the voting booth, every problem with voter registration, voting technology, votekeeping and votecounting technology may have an enormous impact.

http://www.wvgazette.com/News/200810170676?page=1&bui...

It would be a pitty if that would be the case because the next president needs a landslide to have enough power to make a new deal in this new century which already seems to start as dangerous as the last one.

Ohio is an important state to watch because the elections in 2004 were rumored to be so faulty that it was only 'in the protection of the state' that the Democrats not refused to accept the results even if the elections the day self were marked by incidents. It can be that while everybody is watching Ohio in the next elections and hundreds of volunteers, observers and lawyers go through the state and its election boxes, problems that can make a difference arise somewhere else, because this is also what Ohio in 2004 was all about. Everybody was watching Florida where everything went wrong in 2000. (*)

• Another "Odd 'series' of events" with the Bd. of Voting Machine Examiners - this time with ES&S
• Ohio mulls ban on voting machine 'sleepovers'  IMPORTANT
• Ohio Election Officials May Face Criminal Charges: Ohio Election Justice Campaign Files in Federal Court
• Ohio Elections – Past and Future – Spawn Speculation, Special ConcernForeclosed-on voters using old addresses could snag election

National

• Sneak Preview of "Count My Vote - A Citizen's Guide to Voting"
• VA should allow voter drives at its hospitals, senators urge
• FedEx Express Launches Express Your Vote Initiative with Overseas Vote
• Computer Voting Machine Security Prove It
• Volunteer Poll Workers Help Ensure Integrity of U.S. Elections  IMPORTANT
• Can Americans trust vote results?
• Ballot Woes As We Head To Polls

New York

• Ulster County moves forward with its new special needs voting machines
• Westchester lawmakers approve purchase of building to house voting machines (see also sleepovers above)
• Not Ready for Prime Time Nassau County Refuses to Accept More Failing Systems

Florida (where everything went wrong in 2000)

• Sarasota County - Defending free elections
• Sarasota group battling state over accuracy of electronic voting 
• Sarasota County - County holds mock election to test machines

Texas (where there is now an incident to follow up)

• Democratic Party files appeal over eSlate voting equipment
• Human error or faulty technology? Review screen prompts missed votes on eSlate

ELSEWHERE

• ALASKA: Officials Investigate 3 Alabama Counties in Voter Fraud Accusations COLORADO: Mesa County - County to test election equipment
• Additional machines, vote centers on tap for primary, general election
• ILLINOIS: Kane County - Vote centers could change 'politics as usual'
• IN: Johnson County - Officials to discuss new voting machines
• SOUTH CAROLINA: Horry County on 'Election Protection Watch List'
• NM: Candidate wants answers about missing NM ballots

* everything goes wrong in an election if the outcome is n't legitimized and it are lawyers and technical experts that have to make electoral decisions after which one of the two candidates in this legal-technical-institutional chaos has to 'blink' in the interest of the economy, the state or whatever higher purpose. One could say that someone has been appointed President in such a situation.

Vandaag staat in het parlement het dossier van het electronisch stemmen op de agenda. Aan de agendering zijn heel wat discussies voorafgegaan, en werden verschillende experten geconsulteerd.

Dit resulteerde in de voorstelling van twee resoluties in commissie: een resolutie van de CD&V waarin experimenten met een ‘verbeterd’ stemsysteem worden voorgesteld, en een resolutie van de PS waarin de electronische stemming wordt afgeschaft.  Beide resoluties vertrekken niet alleen vanuit de meerderheid, ze vertrekken ook van dezelfde vaststelling: het electronisch stemsysteem zoals het totnogtoe in ons land werd toegepast, is onvoldoende transparant en onvoldoende controleerbaar. Vanuit democratisch en technisch oogpunt is het hergebruik van de oude code van het electronisch stemsysteem voor de verkiezingen van 2009, zoals wordt voorgesteld door de CD&V en de VLD/MR, dan ook niet zonder problemen.

Groen! is absoluut voorstander van verdere automatisering, en voor een vlotte en snelle stembusgang. Het huidige debat heeft echter niet te maken met de vraag of men voor of tegen een automatisering van het stemmen en/of het tellen is, maar alles met de mate waarin dit op een open en professionele manier wordt georganiseerd, gecontroleerd en gelegitimeerd. Op dit vlak kunnen we echter enkel vaststellen dat er vandaag nog heel wat vragen resten.

Niet alleen beantwoordt de stemcomputer nog onvoldoende aan het democratisch principe van gelijkheid, waarbij o.a. slechtzienden en blinden worden benadeeld; het houdt ook geen rekening met de nog steeds bestaande digitale kloof bij 20% van onze bevolking. Maar liefst 1,9 miljoen Belgen had in 2006 zelfs nog nooit een computer gebruikt, waaronder vooral laaggeschoolden, werklozen en ouderen (zie: http://statbel.fgov.be/press/pr090_nl.pdf).

Op gebied van controle stelt zich de vraag naar de fraudegevoeligheid  en correctheid van het systeem. In de Verenigde Staten werden proefopstellingen uitgevoerd waarbij het stemsysteem werd gehackt met een programma dat zichzelf uitwiste zodat het geen enkel spoor naliet. Kiescomputers hebben er daarom ook een papieren controleprint. In Nederland, een land dat zelfs stemsystemen ontwikkelde en aan andere landen doorverkocht, waren er zoveel problemen opgedoken na de tests uitgevoerd door de Algemene Inlichtingen en VeiligheidsDienst (AIVD), dat men terug heeft gekozen voor het stemmen op papier. In Ierland werden de aangekochte (!) stemcomputers zelfs nooit in gebruik genomen. Op dit moment is België het laatste land in Europa dat nog gebruik maakt van het electronisch stemsysteem.

Het systeem kost ook enorm veel; maar liefst drie maal zoveel dan het stemmen met potlood en papier.

Naar aanleiding van de nakende stemming over het eventueel hergebruik van de oude code in de verkiezingen volgend jaar, willen we volgende ideeën onder de aandacht brengen om het proces niet alleen meer open, maar ook meer betrouwbaar en duidelijker te maken.

Dit heeft niets te maken met nederlandstalig of franstalig, met wie wat betaalt of organiseert en of je voor of tegen een zekere vorm van automatisering van het stemmen en/of het tellen bent, het heeft alles te maken met de mate waarin je dat op een open en professionele manier organiseert, controleert en legitimeert.

Dit zijn de drie belangrijkste aandachtspunten indien men toch naar een zekere vorm van automatisering wilt gaan van het tellen en of het stemmen

Yes, according to the parliamentary commission we will use the same old code and the same insufficient audits and controls for the elections next year, if the governement doesn't fall in two weeks time and we have an institutional crisis on our hands.

But every commune will have the choice between the electronic and the papervote, although they shouldn't pay a cent more if they chose the electronic one.

So we the discussion about the next election is coming down to a decision on the communal level. There is no big organisation in Belgium that has affliates and other organisations throughout the country. So it will all depend on the local political interests and coalitions.

The biggest problem today is that the audit and the oversight between production and the validation of the results is so insufficient that there is no normal big firm that could be audited that way. The auditor is chosen by the firm that delivers the software for example and the oversight is done by specialists from the parliament that have to do that next to their normal job and without external assistance and without public procedures and standards. There is also no organised public oversight and audit by the people for the people and about the people.

We trust, but don't ask us what......