Hacker News new | comments | show | ask | jobs | submit login
Software used to count Australian Senate votes is a “trade secret” (mjec.net)
341 points by mlandauer on July 15, 2014 | hide | past | web | favorite | 99 comments



Visibility of the source code is a side-show in electronic voting systems. Even if the source code is published, there is no way to be sure that that is the code that is running on the hardware, or to be certain that the hardware itself has not been tampered with. Votes need to be printed out on paper, verified by the voter, and counted by hand.

Still, when we had the source code for the Irish system (now abandoned due to our efforts) analyzed by a commission, it was found it had actual counting errors.

http://www.stdlib.net/~colmmacc/www.cev.ie/htm/report/part4_...

Amazing!


Australian elections ARE pen and paper.

The ballots are entered (by hand AFAIK) into the AEC's central system to compute the complex preference flows. Realistically, the algorithm isn't that complicated, and the ABC does a good job at guestimating it [1]. This is why it is so surprising they refuse to release it, even after the Senate passed a motion demanding its release [2].

[1] http://www.abc.net.au/news/federal-election-2013/results/sen...

[2] http://www.computerworld.com.au/article/550114/electoral_com...


At Ruxcon last year there was a very interesting talk by an electoral systems researcher (I can't recall her name). She went through a number of electronic voting systems, and they all suck. Some more than others. The only case where she found a system that was close to acceptable was in a crypto organisation where everyone was highly technically fluent in the system. Certainly not transferable to the general public. She also noted that computerised systems tend to favour right-wing policies even if the algorithm is fair - people who vote for leftist policies are over-represented amongst migrants, people with disabilities, and other non-mainstream demographics.

She did have the opinion though that there was as place for electronic machines in the voting booth, and it was this: register your vote on a machine. It prints out a slip with clear, unambiguous markings against your selected candidate(s). Verify that it has the content you want, then go lodge the slip like any other paper ballot. You now have a clearer, less ambiguous version of the paper ballot, which is more accessible to people with certain kinds of disabilities to boot.

Most of the times that a paper ballot recount differs is not because of inept counters, but because some voters leave ambiguous marks. She said that in Australia, it has about the best system possible (edit: probably 'in current use') in terms of verifying the count: an AEC official does the counting, and the major parties volunteer scrutineers to challenge ambiguous voting slips. As there are mutually opposing witnesses, you get a fairly robust count - the differences come when one set of scrutineers allows one ambiguous mark, but on a recount that same ambiguous mark gets treated differently by another set of scrutineers.

The important thing is the pile of paper though - the evidence that people voted a certain way. In effect, as soon as you don't have the physical evidence, you're at the mercy of "trust us, it's accurate". How do you scrutinise that?


It was Vanessa Teague from Melbourne Uni

http://people.eng.unimelb.edu.au/vjteague/


>in Australia, it has about the best system possible [...] in terms of verifying the count: an AEC official does the counting, and the major parties volunteer scrutineers to challenge ambiguous voting slips

That's actually how it works in Italy as well: each poll station has an official "commission" and party-nominated "observers" who can challenge slip by slip. It's probably the fairest system one can devise, although it relies on political activism (a party without enough volunteers to cover all poll stations will likely miss out votes here and there, although this might be irrelevant depending on how winners are determined).


Correct. I have done scrutineering in Australian elections. It is fun as you get the local results before anyone else. Also you see the comments people write on the papers

Eg Youse bastards r al liers!


It's not a side show at all, it's the most important thing. By showing us the code the AEC is making the implicit commitment that this is the code running on their systems. Until they show us some code they are not even making that commitment at all - they could be running anything, they could change it every day to match their whims.

My own suspicion is that they DO know of numerous problems either current or past and quite likely these will cast enough doubt on some particular past results that it would bring about a constitutional crisis.


I don't mean any offense - but your position is not self-consistent. "Showing us the code" does not invalidate "could change it every day to match their whims".

For example the entire source code to Linux is public, but looking from the outside, you as an observer have no way to know that a particular copy of the Linux code is what is running on my laptop.

Which is why I say it's a side-show. If the source code is shabby, getting it might help a little in the short-term; it makes the whole process less reputable. But code can be rewritten. It distracts from the real need; independent verification of the process itself.


The point, though, is that releasing the source code under the pretense that it is the running code can create a legal obligation that what's released is what's run. No, it doesn't prevent them from running something else, but it at least creates the possibility of audits and consequences if they do so.


They already have a legal obligation to count appropriately. The publicity of the source code is irrelevant to that.


Thanks - this is exactly my point.


But do you even trust the compiler they use?

Computers you don't totally control are inherently untrustworthy: http://cm.bell-labs.com/who/ken/trust.html

For most things it doesn't matter enough, but for deciding who gets to run the country, I think we need a higher standard.


I know everyone likes to cite that paper whenever they can, but it's not really relevant here. In this hypothetical, they give you the source but they compile it to binary. They do not provide you with the compiler or its source. The compiler can be malicious, but there's no need to hide its maliciousness - they don't even prove that the software running is in any way derived from the source they've given you! It would be a giant leap forward to have to design against KT-level shenanigans. The whole process can currently be subverted with CS 101-level jiggery pokery.


So why not also demand the object code. Then you can mistrust the hardware instead.


I actually see where both you and the person you're debating with are coming from. Yeah, it's kinda a side-show because they can publish anything they want and you or I can't verify that's truly what is running. But it's a side-show that can turn into the main-show if the government really screws it up or a whistle-blower appears on the scene. From that angle, I say making them publish the code & promise the public that's the real code in production will then at least add one more avenue for any government-scandals to be "accidentally" revealed.

Basically, the more often you can force someone to tell a lie the more likely they screw up somewhere and it all falls apart.


If they could be legally compelled to release it once, perhaps there is some way of legally compelling them to always have the most recent version published.


Or, as they said, the software has commercial value:

http://www.aec.gov.au/about_aec/AEC_Services/Fee_for_service...


Well if we all disagreed in closed source voting systems. Then it would have 0 value...


Lets put it to a vote. Along with the proposal to renew the contract... we'll just have to do it after the upcoming scheduled maintenance on the voting system...

Maybe there should be a provision that votes concerning the voting system uses the most conservative and/or transparent means of voting available (such as counting a show of hands, or paper slips...)?

Either way this is silly. Yes, it is hard to trust the entire system, without doing a system audit. Fundamentally, when you put your voting logic into a few opaque plastic boxes who's only interface is a green and red button, it's pretty hard to know that the system hasn't been tampered with, is secure, does what it is supposed to do, does what it did yesterday today as well... but surely opening up the source is a great start?

I'd propose a simple system based on Forth and micro-controllers, that would allow for (reasonable) analysis of the binary machine code -- perhaps with random sampling and destructive reverse-engineering testing of all of the component parts every now and then.

Then we could worry about whether the people doing the auditing were on the take or not...

Actually, how about this: for stuff like this which is presumably public voting anyway, use two flags and a high-resolution camera, coupled with face detection and signal processing to determine the vote -- along with archiving the photo with a time-stamp (and vote number/identifier) for easy (manual) auditing. Audit a random sample (with representatives from all parties doing the auditing) every now and then?

Might not even have to use facial recognition -- just have every (voting) member wear a qr-code button on their shirt...

(Then you could worry about a system that did real-time altering of the recorded image, as have been demonstrated a year back (for:eg: dynamically replacing ad boards in live sports events...)). I do believe there's distrust all the way down. Maybe we should just leave the decisions to a dictator.


The Australian software is not used for recording votes. It's used to assist the counting of physical ballot papers because the Senate vote counting system is extremely complicated. In this environment it's more straightforward to ensure the integrity of the software (as long as it's open and verifiable of course)


In that case a simpler fix would be to allow any independent party (within reason) to supply and use their own software and render their own tally.

If the parties are mutually distrusting, and their tallies still agree, that can be enough to trust the outcome. Auditing the source code has no real utility; it's worthless because you can't be sure that the code you've audited is the code actually running. "Open and verifiable" means nothing in that context.


I would prefer if the input to the software was published and anyone could verify the outcome. Unfortunately, currently none of this information is published and the whole system is based on trust.


Let's say that the software is published, and the code is audited and it looks ok - it seems to implement all of the intricacies of the transfer system and so on correctly. Then what? What if the operator forgets to use the latest version? or puts a different piece of software entirely on the counting system?

Having audited the source code really doesn't help; it won't remove the need to perform independent verification.

Similarly, merely publishing the input won't help much either; how do you verify that the published input corresponds to the actual votes? It won't remove the need for independent parties to observe the raw input (paper votes) and to make their own tallies; in which case those parties can publish their own copies.

Asking for the input to be published and the source to be published is just scraping the surface and won't add meaningful security. You need independent observation by mutually distrusting parties.


You keep saying this like people don't understand your point.

Personally I understand your point, but I think auditing the code is a good and important first step.

Technically it's worth noting that a code audit is required in any "perfect solution", so it isn't wasted effort.

Politically it is important to establish the principle that the AEC should be required to respond to reasonable requests to verify how the process is implemented.

Similarly, merely publishing the input won't help much either; how do you verify that the published input corresponds to the actual votes? It won't remove the need for independent parties to observe the raw input (paper votes) and to make their own tallies; in which case those parties can publish their own copies.

Note that in Australia vote counting itself is manual and is already observed by multiple hostile parties. No one is proposing removing that.

Let's say that the software is published, and the code is audited and it looks ok - it seems to implement all of the intricacies of the transfer system and so on correctly. Then what? What if the operator forgets to use the latest version? or puts a different piece of software entirely on the counting system?

Since we already have access to the raw counts the audited code can be run by anyone to verify it outputs the same output as the AEC claims.


The AEC does publish the totals for each candidate, at each stage of the Senate count [1]. There is a PDF for each state, under the heading "Distribution of Preferences". An example for NSW is at [2] Are these numbers sufficient input, to duplicate and verify the results of the AEC software?

[1] http://results.aec.gov.au/17496/Website/SenateResultsMenu-17...

[2] http://results.aec.gov.au/17496/Website/External/SenateState...


Not really the same as the raw input, because while most people vote above the line, there will be a small number who vote below the line, and the incremental count doesn't show if these were allocated correctly.

The best you could do is compare the expected flow each step, based on group voting ticket, against the actual flow, and make sure the total difference does not exceed the number of below the line votes.


Do they publish how many people vote below the line?

Edit: Antony green has an estimate used in his calculator. "At Federal election, around 95% of mainland voters, and 80% of Tasmanian voters, fill in their ballot paper using the group ticket ('above the line') voting option."

http://www.abc.net.au/elections/federal/2007/calculator/sena...


Any speculation on way Tasmania votes below the line so much more than the mainland?


I would think it comes down to the number of candidates because you either number one box above the line or every box below.

With the number of candidates doubling last election, Tasmania was probably more like 90%.

http://blogs.abc.net.au/antonygreen/2013/08/record-number-of...


As I understand it - yes normally these numbers are sufficient to verify outcomes.

However in extremely close races, such as what happened in WA - it can come down to very small numbers of individual ballots and how their preferences are stated, as to what order senators are elected in.

This then affects the re-flow of preferences.


the simpler fix would be have a simpler voting system that can be done by hand.


The Australian counting system is VB6 on embedded MSSQL upgraded from a COBOL implementation.

"Two AEC data entry operators enter the same ballot data into the system separately, so their counts can be compared to verify that data entry discrepancies are not allowed to influence the final outcome." http://www.itnews.com.au/News/360504,the-tech-behind-was-sen...


> counted by hand.

By whom? Overseen by whom? Who oversees the overseers? Not to mention people make mistakes, ballots get dumped, and nobody has any evidence their vote was actually counted.

Here's a long but fascinating tech talk on a real solution:

https://www.youtube.com/watch?v=ZDnShu5V99s


I can talk about Ireland, as I've been an election observer there. The way we do it is that ballot boxes are locked and sealed with tamper-evident seals after a polling station has closed. Elections observers; including representatives from the political parties may request to add their own seals. In some particularly contentious districts this is done, but for the most part people are happy with the official seals.

The ballot boxes are then transported by the police force to the nearest "count center". The next morning, the seals are inspected and those ballot boxes are opened. All of the ballot boxes in a constituency are counted together in a secure, but open area. Here's a flickr set with a good number of photos showing how it's done:

https://www.flickr.com/photos/redmum/sets/72157600270850764

the counters are within the fenced area, and the observers - including many people from the political parties, surround the fence. The entire process is easy to see.

One particularly important part is what happens when the boxes are opened. The contents are just dumped out on the table and one by one each vote is turned to face up and towards the observers. The observers then "tally" the votes and mark which candidate (or referendum choice) the voter marked as their first preference.

All parties participate in this tally and it provides the first take on what the result will be. The margin of error on the tally is < 1%. Some tallies with enough tally-takers also count the 2nd and 3rd preferences, but most tallies just project the transfers (we use a transfer based voting system) and that too is generally accurate.

Contentious votes with identifying or ambiguous marks and so on are kept aside and argued over by people like me for an hour or so, but they never make much of a difference.

The end result is a process is very verifiable and auditable, in easy-to-understand human ways; you can literally show up at a count center and count the votes yourself as they come out of the boxes, and make sure that you're not being duped. That's a nice accessibility property too.


This request came after an election in Australia where during a recount 1375 votes originally tallied were unable to be found http://www.aec.gov.au/media/media-releases/2013/e10-31.htm

An investigation was conducted http://www.aec.gov.au/About_AEC/Publications/Reports_On_Fede...

Rather than a police force transporting a sealed box, a commercial courier company or volunteer with their own car moved what might not have even looked like an official box (perhaps a printing firm's box) which in the end might have been thrown out in the recycling or might have been maliciously removed as the warehouse doors were left open or when a single security guard was on duty overnight.

As Mr Keelty wrote: "There is less concern for the security and integrity of Senate ballots because it is considered that they have less of an impact on the election outcome and in any event are warehoused for six years. This is a cultural problem within the AEC and it needs to be addressed. The fact that it had been thirty years since the last full recount of Senate ballots most likely added to the loss of care in routinely dealing with those ballots during the election."


I appreciate the thorough response and it does sound better than what I had envisaged.

However, there is still no way for me as an individual to know for certain that my vote has been counted. The best I can do is trust in the physical security practices surrounding the ballot box and the honesty of the volunteers involved. And even with a margin of error of < 1%, elections have been decided by fewer votes than that (~15 votes in my riding in Waterloo, ON in a recent election) and recounts are expensive, slow, and contentious.

I encourage you to watch the tech talk when you have a spare hour. We have the technology to create a much better and more transparent system.


We don't. I remind every group that tries to automate voting in my province that on election day somebody is going to denial of service the system to use it as an attention seeking platform which will just force a physical vote anyways. Other ideas floated like blockchain decentralized voting are also impossible since none of us can run a trusted personal device to vote with, and plenty of voters have no access or don't want access to phones or any other devices. Worse, every couple of elections there's some sort of scandal where a foreign "politically exposed person" has been caught propping up local candidates or outright fielding their own puppet to seemingly unimportant elections like the parks board so they can reap real estate or resource mining benefits. Imagine what kind of havoc a foreign state could wreak on an electronic voting scheme.

It's much more transparent to just do it by hand count though they tried to sabotage that too http://fullcomment.nationalpost.com/2014/03/11/dont-undermin...


Full, transparency across time makes it easy to buy people's votes, or punish people for voting the wrong way. The moment I can check that my vote was counted, and was counted accurately, then my boss/landlord/wife/friend could pressure me into showing them said record.

The fact that I can vote very differently from what is socially acceptable in my social group, and there is no way for them to know is a feature, not a bug.


Watch the tech talk. It's possible to prove to yourself that your vote was counted correctly and simultaneously be unable to prove it to others.


In Australia, they're counted by an government official, and overseen by mutually hostile volunteers (scrutineers) supplied from the major parties. It's boring to be a scrutineer, but it's in the major party interests to ensure they are sent.


Professor Alex Halderman from Michigan has performed a few studies on Electronic Voting and Electronic Voting Machines, and essentially has proven that it is insecure. At one point, he hacked an American EVM to play the Michigan Fight song on every submission. You can read a few of his papers here: [1][2]

The challenge of creating anonymous and secure voting systems is still an area of constant research, and I do not believe that the Australian gov't has solved these problems yet.

Should we view the source? If we know it's insecure because it's basically unbelievable to think that otherwise, what good will seeing the code do? The fact that it is not being shown basically confirms the insecurity (if it was truly secure, we'd be able to see it without having a negative effect on the system). It seems the right thing to do is to fight this method of voting until EVMs are more secure, but maybe we should hedge our bets. Maybe we're going to be stuck with these EVMs in the interim, and we should avoid leaking the source to prevent people who have difficulty viewing the source.

[1] https://jhalderm.com/pub/papers/evm-ccs10.pdf [2] https://jhalderm.com/pub/papers/voting-wecsr11.pdf


The Dutch group "We don't trust voting computers" [1] hacked up a machine to play chess [2]. It could easily beat a novice.

[1] http://wijvertrouwenstemcomputersniet.nl/English [2] https://www.flickr.com/photos/colmmacc/sets/7215759431270116...


Australia doesn't use EVMs, all voting is done on pen and paper and counted manually. This is just the software used to input those results, tally them, do preference flows, and declare the outcome.


As suggested, releasing the raw data as input would be better than the source code anyway. The raw data should not have any 'trade secret' or 'hack vulnerability'.

Vote for it on data.gov.au https://datagovau.ideascale.com/a/dtd/AEC-Raw-voting-data/42...


You can download the 2013 Senate below-the-line preferences from here:

http://results.aec.gov.au/17496/Website/SenateDownloadsMenu-...

(Down the bottom, under “State Below the Line Preferences”)

I think those files, plus the above-the-line preferences should be enough to re-do the AEC's calculation... I would be interested to know if anyone had ever tried that.


http://blog.angrygoats.net/2014/01/25/counting-the-west-aust... uses those files I think and is cited in the FOI review as an example of how someone could reproduce their "trade-secret" algorithm using publically available information.


The algorithm used is fairly complicated, being both preferential and proportional. (The lower house is preferential but not proportional).

Here is a nifty visualization of the senate vote flows in NSW: http://www.grwpub.info/senate/nsw.svg.

Essentially you need a certain number of votes to cross the line and win a seat. After winning the seat, those votes are subtracted from the party. Eventually when no parties have enough votes, the lowest voted party is eliminated and its votes are redistributed by preference.


I once attempted to implement the Senate counting algorithm (mostly so I could force myself to truly understand it).

I can say with great confidence that it is hard to implement correctly, and it would take more than a single external audit to give me confidence that the AEC's implementation is flawless.


What's up with the yellow lines going from already-excluded parties?


Apparently http://www.grwpub.info/senate/ is the description that goes with that animation. The yellow lines are votes for parties that were already eliminated getting redistributed again because the party their votes had gone to is being eliminated too.


Thats appalling.

As an Australian citizen, who should I call about this to voice my objection?


Write to your Senator, say the AEC's refusal to comply[1] with Senate Order 330[2] is wrong and you'd like it challenged.

(Note that while it was moved by a Greens Senator, I'm not affiliated with the Greens and this is not a party political thing that's going on)

Failing that, maybe consider donating to my fund to fight this decision in court: http://pozi.be/easycountaat?ra=247325

[1]: http://lee-rhiannon.greensmps.org.au/sites/default/files/ron...

[2]: http://lee-rhiannon.greensmps.org.au/content/news-stories/up...


The process is proceeding as it should regardless. Anyone is able to put in a GIPA request, and they are allowed to refuse the information. As stated in the post an appeal of that decision is underway.

We need to start caring if the appeal is also refused.

Edit: GIPA is the NSW equivalent: http://www.ipc.nsw.gov.au/privacy/gipa_act.html


Try your local member. My local electorate is Fairfax so a bit of a no brainer.

Edit: Before anyone points out Clive's not in the Senate, he does have a very vocal, ongoing feud against the AEC and the budget for the AEC would most likely originate in the lower house.


> My local electorate is Fairfax

I'm sorry.


You have a set of questions for this Abbott-led government regarding technology backed up by legitimate concerns?

Save your time, I already know the response to that.

It's 'Get Fucked'. And that was before the election.

http://delimiter.com.au/2013/08/07/get-fucked-turnbull-staff...


The AEC is supposed to be non-partisan, and not have much to do with the parties themselves, IIRC (although they do report to the government at the end of the day).

Your point is well taken though. I'm thoroughly disgusted with the fear-mongering, technophobic way our government has conducted itself.

If you're interested in applying your technical skills to furthering the democratic process in Australia, volunteer with the Open Australia Foundation (which is what I'm doing). They've got everything on GitHub, and accept PRs!

https://www.openaustraliafoundation.org.au/


As a fellow Australian citizen, I would also like to know this.


That's a trade secret.



The Electoral Commission has since refused to comply with the Senate order to release the source code: http://lee-rhiannon.greensmps.org.au/sites/default/files/ron...


I'm only replying to say a personal thank you for pursuing this. Australia has such weak individual rights, it is so important that people like yourself put your hand to pursue them on occasions like this when it is important. Keep going!


Hi mjec, thanks.

I didn't know about this latest turn of events! This quote in particular is extremely disturbing... I noticed it in the FOI rejection, but now they're telling this to the Senate:

> In relation to the source code for the Senate counting system, I am advised that publication of the software could leave the voting system open to hacking or manipulation.

This was after the Senate asking, this argument has nothing to do even with the FOI request.

And a previous thread on reddit: http://www.reddit.com/r/australia/comments/29t2q7/aec_threat...


OK, just noticed Josh Taylor posting this article on ZDnet in the same minute as this comment's parent: http://www.zdnet.com/au/government-blocks-aec-source-code-re...


"I am advised that publication of the software could leave the voting system open to hacking or manipulation".

Well, if the problems are there, opening up the source to more eyes strikes me as the obvious thing to do; or should those with the knowledge of how to manipulate it as it stands be kept to the bare minimum? :)

But in any case, at least the meat of the implementation of the algorithm should be OK to release I would've thought - surely that isn't someone's intellectual property?

This is software we paid for and strikes me as pretty important to the democratic process, I'd like to have a bit of a look at it.


A smart cookie could vote in such a manner as that when the information is entered into the system, it crashes it? Maybe that's what they mean by manipulation...

Or, is it available online without any authentication other than knowing where it is? So if you know where it is, you could enter votes and then manipulate the election with those fake votes...


> A smart cookie could vote in such a manner as that when the information is entered into the system, it crashes it?

"Informal" votes -- ballots where the voter does not correctly fill out the ballot paper -- are rejected from the tally by the counters under supervision from scrutineers.

If you use hexadecimal, it will be rejected. If you use a very large number, it will be rejected. If you use weird unicode characters, it will be rejected. If it's anything other than a) a single [1] "above the line" or a fully filled-out ballot "below the line" comprised of numbers from 1-n where n is the number of candidates-1, it will be rejected.

If it's crashing on properly filled-out votes, there's a bigger problem.


> "I am advised that publication of the software could leave the voting system open to hacking or manipulation".

Certainly reminds me of this xkcd: https://xkcd.com/463/ It sounds like security...


I hadn't seen that one :) Someone above mentions its VB6 with embedded SQL Server upgraded from COBOL [1]. Can sort of see how they don't want anyone looking at it now.

1. https://news.ycombinator.com/item?id=8039958


It seems to be an ongoing misconception in the public, that part of good security is obstification. Know of any simple clear articles I could point people to when they make these sort of ("because Hackers might see") claims?


@mjec,

"I am advised that publication of the software could leave the voting system open to hacking or manipulation"

Shouldn't this "advice" demand substantiation or evidence? Surely it's not enough for one to just get "advice" right? If so then any Joe could lie to this officer and they could write the same thing.

Also, what does that bit about "commercial-in-confidence" mean?


> Shouldn't this "advice" demand substantiation or evidence?

I think so, and evidently so do others. Already a gentleman by the name of Brendan Molloy has put in an FOI request for the documents on which this advice was based: https://www.righttoknow.org.au/request/documents_informing_t...

> Also, what does that bit about "commercial-in-confidence" mean?

The AEC does conduct some elections on a fee-for-service basis - things like union elections. They use a version of the same system to tally votes in those elections too. They say that the two systems are totally inseparable, to the point where you can't just cut out the code used in industrial elections. They also say revealing the code (though keep in mind it would still be copyrighted, so couldn't be used by any other organisation) would cause them significant commercial disadvantage. Because they have particular efficiency in the way their software operates which causes them to be more competitive.

As you might suspect, I disagree with pretty much every part of what they claim there.


There is a follow up freedom of information request on trying to get some more information about that advice here https://www.righttoknow.org.au/request/documents_informing_t...


If releasing the code is an issue, how about a compromise instead? How about releasing the code to a handful of independent third party firms and academics to determine for themselves if the code is safe. Does the AEC have an audit process in place where the code is checked and is there a testing environment of which the code is strongly tested for issues?

Given the undeniable complexity of such an algorithm, it would take more than a single audit to verify that it is secure. I don't doubt there is something up in the process somewhere, when it comes to vote redistribution I believe if not done correctly and properly tested, there could be some issues in that part alone.

Or better yet, release the data and allow academics from multiple institutions to independently run their own counts and then see if the results match up with that of the AEC's. I think that could be another way without releasing the code and verifying the results are accurate.


A review of the EasyCount software is currently out for limited tender: https://www.tenders.gov.au/?event=public.cn.view&CNUUID=53E3...

However that's still a far cry from any real scrutiny and transparency…


Honestly, the only way to prevent election rigging is to associate each vote with a key, make the key-vote-district database public and give each voter a copy of their vote keys.

If each vote is verifiable to the voter and the whole database is public, then we can have independent analysis done on the votes and no vote rigging is possible, except for creating additional fake keys.

And we can fix that problem simply by making the keys associated with a voter registration, which requires an ID. Same way we do now. Granted, that's still limited by the issues with paper ballots.


I propose someone sponsors a bill whereby any voting software used to count votes by the public must be open sourced and have several signatures (md5, sha1, etc.) which each voting center must verify before deploying it.

The voting centers would just have generic computers (perhaps with special peripherals for voting) which would load the software from a file and they could verify the signature of the file. There could be software that does this automatically. Such as the Apple app store.

That way, if any data centers detect an anomalous signature, they'd report it and it would raise a stink.

This is similar to the Apple App store except instead of Apple owning the ecosystem it would be their government. There are even better ways without all this crap -- either use an existing App Store from Google or Apple (or all) or have a browser extension and distributed app store from a distributed social app platform ;-)


A counting algorithm is a trade secret? How did this even come to be?


The algorithm is public. It's the Australian Electoral Commission's implementation of it, their software, that's used in public elections that they're calling a trade secret.


> The algorithm is public

Clearly so -- except the AEC explicitly say "The algorithm is the trade secret."[1] Which to me says they don't know what algorithm means.

[1]: http://easycount.mjec.net/2013-12-09-aec-to-mjec.pdf at paragraph 57.


In their defence, in Section 15 of the FOI rejection letter, they mention the software is used for several fee-for-service industrial elections.


They still have copyright on the software: copying it and, say undercutting the AEC on the fee-for-service would be illegal. Far more likely that the AEC don't want to have their software open to scrutiny by politically-motivated geeks.


"Under the Fair Work (Registered Organisations) Act 2009 (the Act), the AEC must conduct all elections for office in registered organisations unless an exemption has been granted by the Fair Work Australia." http://election.aec.gov.au/About_AEC/AEC_Services/Industrial...

So they have a protected monopoly for that too?


Yes, it's a government... it grants and enforces monopolies.


Isn't that a conflict of interest? I mean, who or what pays for the development of the implementation?


I'm uneasy about that... presumably they get funded from our taxes. I'd have to guess any profit they make is put back into the pockets^w system, but not responding to FOI's on the basis of a commercial interest strikes me as weird.

Must be some impressive VB coding in any case.


If you want to help solve this please contribute to @mjec's campaign to raise money for representation by a barrister at the AAT appeal http://www.pozible.com/project/183015


I've always though the Hare Clark system is intrinsically I democratic (even though it produces reasonable results) because no one seems to understand it (certainly the people who claim to can't explain it). It's also non deterministic -- the outcome can change hassle on the order in which votes are counted (although the impact will be very small in all probability)


How can the order in which votes are counted change the outcome?

The whole process is in my opinion pretty easy to understand: each ballot is assigned to the candidate who is marked as the top preference and each candidates votes are counted. the candidate with the fewest votes has their ballows reassigned based on their next preference. This process continues until there are only enough candidates left to fill the number of seats. I can't see how this is nondeterministic (but would like to know it could be).


STV used in Australia is deterministic. It does not change depending on the order in which votes are counted.


You don't understand the system. Surplus votes are distributed based on preferences, so order does matter because preferences will be different from one ballot to the next. Which ballots fill a candidate's quota determines which preferences don't get assigned.


The preferences on quota surplus votes are transferred at a fractional value, so every ballot is counted.

It didn't always used to be though - prior to computers, to establish the fractional vote transfers, a "sample" of surplus votes to a quote used to be randomly selected.


Ok, thanks for the correction then. My knowledge of the system was out of date (as is the article I checked it against).

But the fact almost no voter understands it remains an undemocratic feature.



As someone who has lived and voted in a system that uses hare clark, let me say that it is a horrible system, and should never ever be used!


how hard is to add numbers?


Imagine if the principa mathmatica was decided upon by democracy.

That hard.


still i cannot comprehend that, the software simply has to measure the number of votes...


forgive me for being snarky. The real challenge is surviving voter manipulation.

Parties would intercept communication, and compromise machines.

Voting machines have to remain secure, despite opponents having physical access to the machine, and currently security doctrine is basically "Once your opponent has physical access, you lose."




Applications are open for YC Summer 2018

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: