Feeds

Irish e-voting emerges from the crypt

On government life support

The Power of One eBook: Top reasons to choose HP BladeSystem

After spending €52m on a computerised voting scheme that doesn't work reliably, and warehousing the kit at a cost of about €800,000 per year, the Irish government would like to revive the technology so that the country's reputation doesn't suffer.

Ireland will be embarrassed without computerised balloting, Taoiseach Bertie Ahern claimed during a Dáil session last week.

"We have to correct the software, which will cost €500,000 and try to move forward. Otherwise, this country will move into the 21st century being a laughing stock with our stupid old pencils," the Taoiseach explained.

(The Times Online quoted him as saying "stupid aul pencils", but we can assure readers that the Taoiseach does not, in fact, talk like animated Lucky Charms cereal pitchman Lucky the Leprechaun.)

According to government reports on the system's various flaws, the hardware is acceptable. The software, not so much.

Labour Party leader Pat Rabbitte was strident in his criticism of the whole scheme, and repeatedly suggested that there is no way forward. He was at a loss to suggest any positive step, however, and even declined to advocate scrapping the scheme once and for all - which makes sense, as it would remove from his use a fair bit of ammunition with which to ridicule the government. Which he does rather nicely.

Rabbitte had supported e-voting, although when confronted with this fact insisted that he'd supported "a working system". Which Ireland clearly does not have.

The fact is, the whole debate is academic. It makes no difference whether one uses electronic gadgets, paper ballots, or a combination. All that matters are the security protocols in effect. A strictly paper system can be quite secure if it's designed right. Similarly, an electronic system can be quite secure - again, if it's designed right.

The combination of electronic machines with a paper record has become an obsession among a number of "activists", but it, too, can only be useful if the design is secure. Still, it's the least desirable alternative because it introduces needless complexity, and tremendous uncertainty when results are in dispute. How do you know which record, the electronic or the paper, is valid? Either component can be attacked, can fail, or can simply be designed badly.

The Irish system is now so mistrusted that there is nothing anyone can do to fix it (including actually fixing it). Ahern is in a terrible position. His government squandered the €52m, and everything he says sounds like spin, even on those occasions when it isn't.

For example, when confronted by news that a voting machine had been compromised, Ahern noted that "the anti-electronic voting campaign group in the Netherlands physically hacked into a machine to demonstrate security flaws. If one hacked into a ballot box one could do that too".

It's a sensible observation, but it doesn't help. The public perception is that machines are easier to hack, and that it's easier to conceal the fact. Meanwhile, the opposition likes having the e-voting debacle to hang around Ahern's neck when it suits them.

At this point, the only sensible thing to do is start over. A well-designed paper system would be a perfectly good place to start. But if Ireland has got to have electronic voting to boost the government's self esteem, then fine.

For secure, trustworthy e-voting, one needs hardware validated by an independent (and competent) testing agency, and a system to ensure that only validated hardware is used (ie, no post-validation equipment changes of any sort, and fragile seals to indicate tampering visibly).

Next, one needs software validated by an independent testing agency, and a mechanism to ensure that only validated software can be installed. This would involve the compiler, all source code, libraries, encryption software, etc. It doesn't have to be open source, but the validating agency has got to have access to every single bit. It would then build all of the software and issue approved copies. This can be verified cryptographically, cheaply, and easily.

Of course, there must not be any mechanism for remote IP access or switched telephone access to the machines or the database. Leased lines only.

There also needs to be a validated auditing mechanism to show every instance of access to the machines and the database.

Finally, one needs redundancy in the database and in each machine, so that when one fails, its contents cannot be lost. And there must be a mechanism to ensure that when it fails, it will cease to function (ie, it will fail safe), with its contents up to that point preserved. That's basically it, although there are numerous details which The Register has covered at length previously, here and here.

It appears, however, that the government will make some improvements and try to call the system fixed. But patching isn't good enough; the system is not trusted and it needs to be re-worked with a comprehensive set of security and trustworthiness protocols. Otherwise, important weaknesses will undoubtedly be overlooked and the debate will go on, pretty much for eternity. ®

Top three mobile application threats

More from The Register

next story
Stick a 4K in them: Super high-res TVs are DONE
4,000 pixels is niche now... Don't say we didn't warn you
BBC goes offline in MASSIVE COCKUP: Stephen Fry partly muzzled
Auntie tight-lipped as major outage rolls on
Philip K Dick 'Nazi alternate reality' story to be made into TV series
Amazon Studios, Ridley Scott firm to produce The Man in the High Castle
iPad? More like iFAD: We reveal why Apple fell into IBM's arms
But never fear fanbois, you're still lapping up iPhones, Macs
Bose says today is F*** With Dre Day: Beats sued in patent battle
Music gear giant seeks some of that sweet, sweet Apple pie
There's NOTHING on TV in Europe – American video DOMINATES
Even France's mega subsidies don't stop US content onslaught
You! Pirate! Stop pirating, or we shall admonish you politely. Repeatedly, if necessary
And we shall go about telling people you smell. No, not really
Too many IT conferences to cover? MICROSOFT to the RESCUE!
Yet more word of cuts emerges from Redmond
Joe Average isn't worth $10 a year to Mark Zuckerberg
The Social Network deflates the PC resurgence with mobile-only usage prediction
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.