
Software used to count Australian Senate votes is a “trade secret” - mlandauer
http://easycount.mjec.net/
======
colmmacc
Visibility of the source code is a side-show in electronic voting systems.
Even if the source code is published, there is no way to be sure that that is
the code that is running on the hardware, or to be certain that the hardware
itself has not been tampered with. Votes need to be printed out on paper,
verified by the voter, and counted by hand.

Still, when we had the source code for the Irish system (now abandoned due to
our efforts) analyzed by a commission, it was found it had actual counting
errors.

[http://www.stdlib.net/~colmmacc/www.cev.ie/htm/report/part4_...](http://www.stdlib.net/~colmmacc/www.cev.ie/htm/report/part4_2.htm)

Amazing!

~~~
zmmmmm
It's not a side show at all, it's the most important thing. By showing us the
code the AEC is making the implicit commitment that this _is_ the code running
on their systems. Until they show us some code they are not even making that
commitment at all - they could be running anything, they could change it every
day to match their whims.

My own suspicion is that they DO know of numerous problems either current or
past and quite likely these will cast enough doubt on some particular past
results that it would bring about a constitutional crisis.

~~~
colmmacc
I don't mean any offense - but your position is not self-consistent. "Showing
us the code" does not invalidate "could change it every day to match their
whims".

For example the entire source code to Linux is public, but looking from the
outside, you as an observer have no way to know that a particular copy of the
Linux code is what is running on my laptop.

Which is why I say it's a side-show. If the source code is shabby, getting it
might help a little in the short-term; it makes the whole process less
reputable. But code can be rewritten. It distracts from the real need;
independent verification of the process itself.

~~~
gipp
The point, though, is that releasing the source code under the pretense that
it is the running code can create a _legal obligation_ that what's released is
what's run. No, it doesn't prevent them from running something else, but it at
least creates the possibility of audits and consequences if they do so.

~~~
zmmmmm
Thanks - this is exactly my point.

~~~
efaref
But do you even trust the compiler they use?

Computers you don't totally control are inherently untrustworthy:
[http://cm.bell-labs.com/who/ken/trust.html](http://cm.bell-
labs.com/who/ken/trust.html)

For most things it doesn't matter enough, but for deciding who gets to run the
country, I think we need a higher standard.

~~~
bmm6o
I know everyone likes to cite that paper whenever they can, but it's not
really relevant here. In this hypothetical, they give you the source but they
compile it to binary. They do not provide you with the compiler or its source.
The compiler can be malicious, but there's no need to hide its maliciousness -
they don't even prove that the software running is in _any way_ derived from
the source they've given you! It would be a giant leap forward to have to
design against KT-level shenanigans. The whole process can currently be
subverted with CS 101-level jiggery pokery.

------
thrush
Professor Alex Halderman from Michigan has performed a few studies on
Electronic Voting and Electronic Voting Machines, and essentially has proven
that it is insecure. At one point, he hacked an American EVM to play the
Michigan Fight song on every submission. You can read a few of his papers
here: [1][2]

The challenge of creating anonymous and secure voting systems is still an area
of constant research, and I do not believe that the Australian gov't has
solved these problems yet.

Should we view the source? If we know it's insecure because it's basically
unbelievable to think that otherwise, what good will seeing the code do? The
fact that it is not being shown basically confirms the insecurity (if it was
truly secure, we'd be able to see it without having a negative effect on the
system). It seems the right thing to do is to fight this method of voting
until EVMs are more secure, but maybe we should hedge our bets. Maybe we're
going to be stuck with these EVMs in the interim, and we should avoid leaking
the source to prevent people who have difficulty viewing the source.

[1] [https://jhalderm.com/pub/papers/evm-
ccs10.pdf](https://jhalderm.com/pub/papers/evm-ccs10.pdf) [2]
[https://jhalderm.com/pub/papers/voting-
wecsr11.pdf](https://jhalderm.com/pub/papers/voting-wecsr11.pdf)

~~~
colmmacc
The Dutch group "We don't trust voting computers" [1] hacked up a machine to
play chess [2]. It could easily beat a novice.

[1]
[http://wijvertrouwenstemcomputersniet.nl/English](http://wijvertrouwenstemcomputersniet.nl/English)
[2]
[https://www.flickr.com/photos/colmmacc/sets/7215759431270116...](https://www.flickr.com/photos/colmmacc/sets/72157594312701166)

------
sgryphon
As suggested, releasing the raw data as input would be better than the source
code anyway. The raw data should not have any 'trade secret' or 'hack
vulnerability'.

Vote for it on data.gov.au [https://datagovau.ideascale.com/a/dtd/AEC-Raw-
voting-data/42...](https://datagovau.ideascale.com/a/dtd/AEC-Raw-voting-
data/42018-26233)

~~~
pwc
You can download the 2013 Senate below-the-line preferences from here:

[http://results.aec.gov.au/17496/Website/SenateDownloadsMenu-...](http://results.aec.gov.au/17496/Website/SenateDownloadsMenu-17496-csv.htm)

(Down the bottom, under “State Below the Line Preferences”)

I think those files, plus the above-the-line preferences should be enough to
re-do the AEC's calculation... I would be interested to know if anyone had
ever tried that.

~~~
Maxious
[http://blog.angrygoats.net/2014/01/25/counting-the-west-
aust...](http://blog.angrygoats.net/2014/01/25/counting-the-west-australian-
senate-election/) uses those files I think and is cited in the FOI review as
an example of how someone could reproduce their "trade-secret" algorithm using
publically available information.

------
3rg0s4m
The algorithm used is fairly complicated, being both preferential and
proportional. (The lower house is preferential but not proportional).

Here is a nifty visualization of the senate vote flows in NSW:
[http://www.grwpub.info/senate/nsw.svg](http://www.grwpub.info/senate/nsw.svg).

Essentially you need a certain number of votes to cross the line and win a
seat. After winning the seat, those votes are subtracted from the party.
Eventually when no parties have enough votes, the lowest voted party is
eliminated and its votes are redistributed by preference.

~~~
timv
I once attempted to implement the Senate counting algorithm (mostly so I could
force myself to truly understand it).

I can say with great confidence that it is hard to implement correctly, and it
would take more than a single external audit to give me confidence that the
AEC's implementation is flawless.

~~~
nmrm
What's up with the yellow lines going from already-excluded parties?

~~~
makomk
Apparently [http://www.grwpub.info/senate/](http://www.grwpub.info/senate/) is
the description that goes with that animation. The yellow lines are votes for
parties that were already eliminated getting redistributed again because the
party their votes had gone to is being eliminated too.

------
josephg
Thats appalling.

As an Australian citizen, who should I call about this to voice my objection?

~~~
dwd
Try your local member. My local electorate is Fairfax so a bit of a no
brainer.

Edit: Before anyone points out Clive's not in the Senate, he does have a very
vocal, ongoing feud against the AEC and the budget for the AEC would most
likely originate in the lower house.

~~~
sjwright
> My local electorate is Fairfax

I'm sorry.

------
quink
[http://www.zdnet.com/au/senate-calls-for-release-of-aec-
vote...](http://www.zdnet.com/au/senate-calls-for-release-of-aec-vote-count-
source-code-7000031437/)

[http://www.brisbanetimes.com.au/it-pro/government-
it/vexatio...](http://www.brisbanetimes.com.au/it-pro/government-it/vexatious-
digital-activist-forces-australian-electoral-commission-to-release-secret-
computer-code-20140710-zt27i.html)

~~~
mjec
The Electoral Commission has since refused to comply with the Senate order to
release the source code: [http://lee-
rhiannon.greensmps.org.au/sites/default/files/ron...](http://lee-
rhiannon.greensmps.org.au/sites/default/files/ronaldson_response.pdf)

~~~
harkyns_castle
"I am advised that publication of the software could leave the voting system
open to hacking or manipulation".

Well, if the problems are there, opening up the source to more eyes strikes me
as the obvious thing to do; or should those with the knowledge of how to
manipulate it as it stands be kept to the bare minimum? :)

But in any case, at least the meat of the implementation of the algorithm
should be OK to release I would've thought - surely that isn't someone's
intellectual property?

This is software we paid for and strikes me as pretty important to the
democratic process, I'd like to have a bit of a look at it.

~~~
raving-richard
A smart cookie could vote in such a manner as that when the information is
entered into the system, it crashes it? Maybe that's what they mean by
manipulation...

Or, is it available online without any authentication other than knowing where
it is? So if you know where it is, you could enter votes and then manipulate
the election with those fake votes...

~~~
jacques_chester
> _A smart cookie could vote in such a manner as that when the information is
> entered into the system, it crashes it?_

"Informal" votes -- ballots where the voter does not correctly fill out the
ballot paper -- are rejected from the tally by the counters under supervision
from scrutineers.

If you use hexadecimal, it will be rejected. If you use a very large number,
it will be rejected. If you use weird unicode characters, it will be rejected.
If it's anything other than a) a single [1] "above the line" or a fully
filled-out ballot "below the line" comprised of numbers from 1-n where _n_ is
the number of candidates-1, it will be rejected.

If it's crashing on properly filled-out votes, there's a bigger problem.

------
DigitalSea
If releasing the code is an issue, how about a compromise instead? How about
releasing the code to a handful of independent third party firms and academics
to determine for themselves if the code is safe. Does the AEC have an audit
process in place where the code is checked and is there a testing environment
of which the code is strongly tested for issues?

Given the undeniable complexity of such an algorithm, it would take more than
a single audit to verify that it is secure. I don't doubt there is something
up in the process somewhere, when it comes to vote redistribution I believe if
not done correctly and properly tested, there could be some issues in that
part alone.

Or better yet, release the data and allow academics from multiple institutions
to independently run their own counts and then see if the results match up
with that of the AEC's. I think that could be another way without releasing
the code and verifying the results are accurate.

~~~
cmrn
A review of the EasyCount software is currently out for limited tender:
[https://www.tenders.gov.au/?event=public.cn.view&CNUUID=53E3...](https://www.tenders.gov.au/?event=public.cn.view&CNUUID=53E31E1A-E681-11E3-D447B0A5C9424137)

However that's still a far cry from any real scrutiny and transparency…

------
josephschmoe
Honestly, the only way to prevent election rigging is to associate each vote
with a key, make the key-vote-district database public and give each voter a
copy of their vote keys.

If each vote is verifiable to the voter and the whole database is public, then
we can have independent analysis done on the votes and no vote rigging is
possible, except for creating additional fake keys.

And we can fix that problem simply by making the keys associated with a voter
registration, which requires an ID. Same way we do now. Granted, that's still
limited by the issues with paper ballots.

------
EGreg
I propose someone sponsors a bill whereby any voting software used to count
votes by the public must be open sourced and have several signatures (md5,
sha1, etc.) which each voting center must verify before deploying it.

The voting centers would just have generic computers (perhaps with special
peripherals for voting) which would load the software from a file and they
could verify the signature of the file. There could be software that does this
automatically. Such as the Apple app store.

That way, if any data centers detect an anomalous signature, they'd report it
and it would raise a stink.

This is similar to the Apple App store except instead of Apple owning the
ecosystem it would be their government. There are even better ways without all
this crap -- either use an existing App Store from Google or Apple (or all) or
have a browser extension and distributed app store from a distributed social
app platform ;-)

------
sergiotapia
A counting algorithm is a trade secret? How did this even come to be?

~~~
mlandauer
The algorithm is public. It's the Australian Electoral Commission's
implementation of it, their software, that's used in public elections that
they're calling a trade secret.

~~~
retroencabulato
In their defence, in Section 15 of the FOI rejection letter, they mention the
software is used for several fee-for-service industrial elections.

~~~
michaelhoney
They still have copyright on the software: copying it and, say undercutting
the AEC on the fee-for-service would be illegal. Far more likely that the AEC
don't want to have their software open to scrutiny by politically-motivated
geeks.

~~~
Maxious
"Under the Fair Work (Registered Organisations) Act 2009 (the Act), the AEC
must conduct all elections for office in registered organisations unless an
exemption has been granted by the Fair Work Australia."
[http://election.aec.gov.au/About_AEC/AEC_Services/Industrial...](http://election.aec.gov.au/About_AEC/AEC_Services/Industrial_Elections/index.htm)

So they have a protected monopoly for that too?

~~~
zo1
Yes, it's a government... it grants and enforces monopolies.

------
mlandauer
If you want to help solve this please contribute to @mjec's campaign to raise
money for representation by a barrister at the AAT appeal
[http://www.pozible.com/project/183015](http://www.pozible.com/project/183015)

------
Tloewald
I've always though the Hare Clark system is intrinsically I democratic (even
though it produces reasonable results) because no one seems to understand it
(certainly the people who claim to can't explain it). It's also non
deterministic -- the outcome can change hassle on the order in which votes are
counted (although the impact will be very small in all probability)

~~~
sgryphon
STV used in Australia is deterministic. It does not change depending on the
order in which votes are counted.

~~~
Tloewald
You don't understand the system. Surplus votes are distributed based on
preferences, so order does matter because preferences will be different from
one ballot to the next. Which ballots fill a candidate's quota determines
which preferences don't get assigned.

~~~
jlangenauer
The preferences on quota surplus votes are transferred at a fractional value,
so every ballot is counted.

It didn't always used to be though - prior to computers, to establish the
fractional vote transfers, a "sample" of surplus votes to a quote used to be
randomly selected.

~~~
Tloewald
Ok, thanks for the correction then. My knowledge of the system was out of date
(as is the article I checked it against).

But the fact almost no voter understands it remains an undemocratic feature.

------
doctorKrieger
how hard is to add numbers?

~~~
GhotiFish
Imagine if the principa mathmatica was decided upon by democracy.

That hard.

~~~
doctorKrieger
still i cannot comprehend that, the software simply has to measure the number
of votes...

~~~
GhotiFish
forgive me for being snarky. The real challenge is surviving voter
manipulation.

Parties would intercept communication, and compromise machines.

Voting machines have to remain secure, despite opponents having physical
access to the machine, and currently security doctrine is basically "Once your
opponent has physical access, you lose."

