A Possible Implementation of a Voter-Verified Audit Trail

The following is a description of the specifics of how a VVAT system could work in Ireland, using a modified version of the proposed system. Some changes here are not strictly required for implementation of a VVAT. This implementation is based on auditing by comparing electronic votes to paper ones. This is just one possible implementation.

I suggest ways of dealing with some problems which are not specific to VVAT (they can occur in the proposed system) and which are not addressed by any procedures for the proposed electronic system.

This text is unfinished and I intend to update it in the next few days, with some rewording for clarity, and possibly some additions after I look for loopholes.

Please give any comments you have on this on the discussion forum.

Definitions

The following terms, when used in this text, have the meanings given here:

Failure of the system

The system is said to have failed if it has behaved incorrectly in a material way, whether due to a hardware or software fault, human error or tampering. The following would be examples of failure (but this is not a comprehensive list):

Recording or displaying a vote incorrectly (differently to what the voter entered).
Printing incorrect information on a paper ballot.
The counting software outputting (on screen or printed) incorrect details of votes (whether individual votes or totals), or any incorrect information for use in an audit (for example, the information at the top of the page of the report listing the electronic votes).
Failure of a voting machine to record a vote or of the counting software to output results.

Unique vote

A unique set of preferences found on one or more votes.

VVAT

Voter-Verified Audit Trail.

DRE

Direct recording electronic.

Ballot box

The box or container which holds the printed ballots.

References to elections also apply to referenda and references to constituencies also apply to other types of electoral area.

Hardware Changes to the proposed system

The following hardware changes to the Nedap voting machine would be required:

The case would have to be modified to accommodate a transparent window in which the printed ballot paper could be viewed. This might have to replace one of the existing panels for candidates. This would mean that the machine could handle only five consecutive elections (less if any of them have more than 17¹ or 18 candidates), instead of six.
The printer in the Nedap machine would have to be moved into a position such that the paper could be viewed in this window.
There would be a space (ideally a removable box) into which the cut printouts (ballot papers) would go.
The printer in the Nedap machine would have to be moved into a position such that the paper could be viewed in this window.
It would have to have the capability of cutting the paper coming from the printer. This might involve using a different model of printing unit. Cutting the paper is necessary because if it was not cut, the voter could be identified by someone (an agent, for example) observing and noting the order in which people voted on each machine, since the votes on the paper real would be in the same order.
The machine would need an extra two buttons (or to reuse two existing buttons) - one for the voter to accept the printed ballot and another for the voter to reject it. One option would be to use two buttons of the panel which is replaced with one containing the window.
It would be an advantage if the machine could return rejected printed ballots to the voter. The voter could then destroy it him/herself. This way, the voter can ensure that noone sees their rejected ballot (this might be important if it was entered by mistake, because there would tend to be few rejected ballots in each machine and an agent could probably tell if the voter rejected a ballot and entered a new one (by the sound of the printer, for example) ) and that it does not actually get counted. Such ballots would not prove anything and would have a mark printed on them to indicate that they were rejected (see the section The Printed Ballot). The extra cost of this is might not be justified.

Another option would be to have two ballot boxes in the machine, with the machine directing rejected ballots to a separate box. I would still recommend printing a mark to indicate that these ballots are rejected, since they would be in close proximity to the accepted ones and there would be a risk of someone moving some of them into the box of accepted ballots (however, to get away with this, they would have to tamper the electronic system also, and there would be a risk of being caught by agents).

No hardware changes to the count centre PC, ballot module or programming reading unit (ballot module reading device) would be required.

Software Changes to the proposed system

Nedap Voting Machine

Printing of paper ballots and cutting the paper
The operation of this is described in the section Voting - Normal Procedure.

IES Software (for the count centre PC)

The first two changes are for assisting in comparing the electronic votes to the paper ballots, so these changes would not be necessary if the audit involved conducting a full manual count instead of comparing votes. These features could still be useful, in that case, to help determine whether a discrepancy was caused by human error in the audit or by failure of the electronic system. The third change listed below, provides for recovery from the a situation where all copies of the electronic votes are corrupted (which is very unlikely) or deemed to be unreliable due to a fault being discovered in a machine. This is not essential and is a feature which is made possible by the use of a VVAT.

A VVAT could be implemented without any changes to the count centre software.

Printing Summary of Votes from a Machine or Group of Machines
The software would have the facility to print a list of all unique votes and the number of each which there were on a ballot module or a group of ballot modules ². They would be sorted in alphabetical order of first preference candidate, then second preference candidate and so on for all preferences. This printout could be used for comparing the paper ballots to the electronic votes. (Of course, a tampered machine could print this list wrongly. The audit procedure described below will still show that the system has failed in this case).

The printout could look something like this:

Election: [2004 Local Elections]

Electoral Area: [Rathmines, Dublin]

Machine(s): [02971] (1 machine)

First and Last Votes: Friday, 11 June 2004, 09:02:01 - Friday, 11 June 2004, 20:57:39

Start and End of Voting: Friday, 11 June 2004, 08:58:11 - Friday, 11 June 2004, 21:01:54

Number of Votes: Total: [289]; Valid: [286]; Deactivations: [5]; Rejected: [11]

Hash (SHA-1):

Printed at: Saturday, 12 June 2004, 12:02:47; Page [1] of [6]

Count PC serial number:

Ballot module read at: Saturday, 12 June 2004, 10:48:27; No manual data entry.

Voting machine model: [EIS2 rev.1] Voting machine software version: [1.1]
IES version: [1.3]

[14] [1 Bloggs, Joseph (-)]

₅ ₁₀ _*

[10] [1 Bloggs, Joseph (-); 2 Doe, Jane (AB)]

₅ _10*

[7] [1 Bloggs, Joseph (-); 2 Doe, Jane (AB); 3 Doe, John (BZ)]

₅ _*

[1] [1 Bloggs, Joseph (-); 2 Doe, Jane (AB); 3 Doe, John (BZ); 4 Mouse, Michael (YH)]

_*

[4] [1 Bloggs, Joseph (-); 2 Doe, John (BZ)]

_*

[3] [1 Bloggs, Joseph (-); 2 Doe, John (BZ); 3 Doe, Jane (AB)]

_*

[8] [1 Bloggs, Joseph (-); 2 Mouse, Michael (YH)]

₅ _*

[18] [1 Doe, Jane (AB)]

₅ ₁₀ ₁₅ _*

[11] [1 Doe, Jane (AB); 2 Bloggs, Joseph (-)]

₅ ₁₀ _*

It would be printed using the same printer which is used for printing reports from the software (probably an A4 laser printer).

Each unique vote has a row of boxes for the count staff to mark - one box for each paper ballot matched, in order (left to right). The last one has an asterisk, so that fraudulently adding boxes would require erasing this.

To make it easier to find a vote, a heavy line divides groups of votes with the same first preference. Every second vote is shaded to make it clearer which row of boxes relates to each vote (to reduce the incidence of errors in marking these).

The meaning of the information at the top of the page is as follows (some of these are just ideas for other improvements to the system, which might also require a change to the voting machine or other changes to IES):

Election Title of the election.

Electoral Area: The electoral area (constituency, ward, etc.) in which the machine was used.

Machine(s): The number of the machine, or all machines in the group. If the ballot module has a serial number, it would also be printed here.

First and Last Votes: The time at which the first vote and last vote on the module were recorded. This is not essential, but I suggest that recording this on the voting machine, reading it to the count centre PC and displaying it here would be useful.

Start and End of Voting: The time period during which the machine was in a mode where it accepts votes. Another feature which is not essential but might be useful.

Number of Votes: The total number of votes cast on the machines (this does not include rejected ones), the number of votes excluding deliberately spoiled ones (if this is supported), the number of rejected votes, the number of times the machine was activated without recording a vote.

Hash (SHA-1): A cryptographically secure hash of the binary data of the votes on the ballot module (as one block), in a clearly defined format. This is not currently supported by the system, and is not essential, but could improve security if was added and the voting machine printed a copy of it for each agent at the end of polling.

Printed at: The time at which this report was printed, the page number and number of pages.

Count PC serial number: Any unique ID of hardware in this PC. For example, it could be an Intel CPUID.

Ballot module read at: The time at which the ballot module was read by the count centre PC. If any votes were entered manually (see point 3 below), the number of such votes would be shown here also.

Voting machine model: The model of voting machine used, and the revision of the motherboard, if applicable and available.

Voting machine software version: The version number of the firmware in the voting machine.

IES version: The version of the software on the count centre PC.

The software versions and voting machine model are important to know if a design fault or bug is discovered.
A date format with a lot of redundancy is used to make it more difficult to alter. The day of the month would be shown with a leading zero if it were less than 10.

Square brackets are used around values to prevent text being fraudulently added by an agent in order to falsely claim incorrect behaviour.

Security features (for example, an official stamp) could be applied to the paper. If none are used, this printout could easily be forged. While precautions are taken to make this more difficult to fraudulently modify, forgery is possible (laser printer toner can be relatively easily removed from a page), but security of the system does not depend on this.

This report could, alternatively, be laid out with the preferences of each vote listed vertically (more closely resembling the paper ballot).

A facility to search for a specified vote
This is not essential, but it would be useful to be able to enter a set of preferences of a vote and have the system report how many votes from a selected machine or group of machines² have exactly these preferences. If this is used to search for the preferences of a given paper ballot from the system, and they are not found, this would prove that the system had behaved incorrectly. However, if it finds the vote, it cannot be relied upon, because a tampered machine could give a false result. When an audit fails, this may provide clearer evidence of the failure.
A facility to manually enter votes
This could be used in the event of both copies of a ballot module being corrupted or failure of the system to correctly read a ballot module. If this feature is used, the system would record how many votes were entered for each machine or group of machines² and output this in all relevant results output. There would be a facility to delete or modify votes which are entered manually (but not individual votes which were read from a ballot module electronically). The system should keep a log of all actions done using this functionality and this should be published after the election (Note, however, that falsifying this log would not be difficult, so ensuring integrity of the system depends on agents watching the person using the count centre PC at all times).
IES could display the number of votes on a ballot module as it is read. This is not essential, but would increase the change of detecting some types of error.

Implementing these features as a separate application

Lists of votes can already be extracted from the system (some results from the general election were published), so software to do this could be written separately from the IES software.

The ability to have this written as a separate application would tend to reduce the cost to the government, due to competition - they could put out a tender and choose the lowest bidder. If this was put out to tender, the government could make it a condition of the contract that the source code would be published (made available to everyone on the Internet).

Implementing it as part of IES is likely to make it easier to use for the computer operator.

The Printed Ballot

The printed ballot could look something like this:


 Machine: [02971]

 ***
 *1 Doe, Jane (AB)*
 *2 Bloggs, Joseph (-)*     
 *3 Doe, John (BZ)*
 ***

 <ACCEPTED>

The names of the candidates are printed in order of preference. Each line of the ballot shows the preference, a space, then the candidates name in a uniform format, which would exactly match the name printed on the face of the machine. In the event that a candidate's name was too long, it would have to be shortened or truncated in this printout, but the paper on the face of the machine would also indicate how it would be displayed on the printed ballot. The letters in brackets would indicate the party affiliation (or an indication that a candidate is non-party) of each candidate (in abbreviated form). (I have avoided using actual party names here). This makes alteration more difficult (by adding redundancy) and also reduces the chance of a vote being manually miscounted for a candidate with a similar name. In this example, "(-)" indicates that a candidate is non-party (independent) (it could equally be "(NP)" or "(IND)" provided that no party name has those initials).

Machine Number

The machine number (or any type of unique identifier for it) could be included (as shown in the example above). It would have to be possible to configure the machine not to print this. Machines which are likely to get below a certain number of votes would be configured not to print the machine number on the ballot, and the votes from those machines would be mixed with others which also did not print the machine number on the ballot. It must be possible for the voter to verify that this number is the same number printed on the paper ballot of everyone else who uses the machine. This could be achieved by displaying the machine number on a printed notice on the machine. The voter could compare this to the number on the printed ballot and could that it does not change for each voter since it is on a printed notice. Printing the machine number on the ballot does not compromise secrecy any more than revealing the list of votes from a machine. The advantage of this is that, if there were a failure, this would make it clearer that the electronic system failed, rather than the audit system. For example, without this, when the paper ballots do not match the electronic votes, one could theorise that some paper ballots had accidentally been moved from one box to another. Such a claim could not be disproven and could be used as an argument against carrying out a full investigation.

The asterisks above and below the names and around each line make it more difficult to alter - to insert another preference (or add letters to the end of a name, e.g. changing "John" to "Jonathan", though the party initials prevent this too), it would be necessary to erase some of these asterisks first. Only three asterisks are used above and below (rather than filling the whole width of the paper) so that the voter could easily notice if more or fewer asterisks were used. (Since a tampered machine could compromise secrecy by printing ballots in non-uniform ways). For the same reason, each line is not padded to the edge of the paper. Security of these ballots, however, would be primarily based on physical security of the ballot box, is in the paper system.

Alternatively, the full list of candidates, each with the preference beside him/her, could be printed, but I think that this format is both more intuitive for the voter (when verifying it) and clearer for people conducting a manual count (it could be sorted faster). Since there is less information, there is less scope for a tampered machine to make it non-unique without being noticed. It could be argued, however, that this method is more prone to manually miscounting votes for a candidate with a similar name.

The last line is printed when the voter approves or rejects the ballot. A rejected one could look like the following:


 Machine: [02971]

 ***
 *1 Doe, Jane (AB)*
 *2 Bloggs, Joseph (-)*     
 *3 Doe, John (BZ)*
 ***

 >>> REJECTED! <<<

The "REJECTED" message is formatted to be conspicuous (so that it can be easily separated from the valid ones in a manual count). The number of greater than and less than symbols is chosen for the same reason as the number of asterisks.

There should be a notice near the machine, explaining what the printed ballot should look like and encouraging people to report if it is not exactly correct or if the print is faint.

Operation of the System

Voting

Normal procedure

When a vote is cast, it would be printed and displayed in the window on the machine.
The voter would then be prompted (by a message on the LED or LCD display) to accept or reject the printed ballot, by pressing a button.
The machine prints a message indicating whether the ballot was accepted or rejected, pauses for about a second, so that the voter can see this, then cuts the paper and it goes into the box.
If the voter rejects the ballot, he/she is allowed to re-enter the vote and this process repeats.

If the machine prints an incorrect ballot and displays the correct details on the screen, or vice versa

If the voter is willing to give up the secrecy of his/her vote, he/she could show the returning officer the machine with the incorrect ballot. This would prove that the system had behaved incorrectly. See the section Failure During Voting.
If the voter is not willing to give up the secrecy of his/her vote, he/she could reject the printed ballot and try again. If it still did not work, he/she could report this to the returning officer and be allowed to use a different machine. The machine operator would check that the voter had no actually cast a vote, and deactivate the machine. A record would be kept (manually), by the returning officer or the voting machine operators, of the number of people who voted on each machine while being registered for another and the number of people who were registered for a machine and did not vote on it. If the problem persists, see the section Unproven Failure.
There is a risk of the voter not checking the printed ballot. In this case, the error would go undetected. However, if this happened a significant number of times, it is very unlikely that it would be undetected every time, and if it is detected once, it would have to be investigated.

If the machine prints an incorrect ballot and alters the display to make it the same as the printed ballot

If the voter notices this, he/she knows that the behaviour is incorrect but cannot immediately prove it. He/she could reject the ballot and enter the vote again. If it consistently does not work, the voter could demonstrate this to the returning officer and agents (by entering the vote in front of them) if he/she is willing to give up the secrecy of his/her vote. This would prove failure of the system (see the section Failure During Voting). IF the voter is not willing to
As in the previous case, there is a risk of this not being detected by the voter.

User error

A voter may think that the system is behaving incorrectly because they are using it incorrectly. In this case, the machine operator could instruct them on how to use it or demonstrate how to vote, without actually pressing the "Cast Vote" button. Then the machine operator would move away and the voter would try to vote again. In the event that he/she still could not vote after repeated attempts, if the he/she is willing to give up the secrecy of his/her vote, the machine operator could show them how to use it or even vote for them (but this is undesirable). If he/she is not, then he/she will not be able to vote and is in a similar position to someone who finds a fault but cannot demonstrate it because of secrecy.

If a voter cannot learn how to use the machine and knows that he/she cannot use it correctly, he/she could possibly be treated similarly to a blind or disabled person - with someone assisting them to vote. In this case, there is a risk that a voter might be intimidated into requesting that someone assists them in this way. This is not ideal - whether this assisted voting is allowed or not - but it is no different to when there is no VVAT.

In either case, this is not an issue with the VVAT.

If a voter falsely claims that the machine is behaving incorrectly

If the voter is willing to give up the secrecy of his/her vote, he/she can be asked to cast the vote in front of the returning officer (and possibly agents). If the claim is false, the voter will not be able to demonstrate a failure.
If the voter is not willing to give up the secrecy of his/her vote, then this claim cannot be proven or disproven. This is problem with any direct recording electronic (DRE) system - it applies in exactly the same way to a system without a VVAT. This problem does not occur in the current manual system, nor in optical scan systems with central counting.

If the printer runs out ot ink

With inkjet and laser printers, this can be detected and the machine could stop accepting votes until the cartridge was replaced. However, the most cost-effective solution would be to use the existing matrix printer in the Nedap machine for printing the paper ballots.

The ribbon should be checked or replaced before the election so that it is unlikely to run out.

If it does run out of ink:

If the voter checks the printed ballot, he/she will see that it appears blank or too faint to easily read. The voter could then reject the printed ballot and report the problem. The polling station staff would replace the ribbon, then the voter would reenter his/her vote.
If the voter does not check the printed ballot, there will be a faintly printed or (worst case) apparently blank ballot in the ballot box. It is unlikely to be completely blank since it would have become faint gradually and it unlikely that no voter would have noticed. In an audit, the paper could be examined for the indentations made by the printer (even if there is no ink at all on it) and the preferences of the vote could be determined. Redundant information on the ballot (such as the party affiliation) helps to ensure that it is read correctly.

Secrecy and proving failure

It is usually necessary for one voter to give up the secrecy of his/her ballot in order to prove that the system is behaving incorrectly.

If, in the cases above, the problem was resolved by using a different machine or retrying with the same machine, the voter has cast their vote correctly, and can report the failure, but cannot prove it. If this is happening, it is likely that some voters are not noticing the failure.

However, since only one voter has to give up the secrecy of his/her vote to prove the failure, this is likely to be enough to detect a fault and should provide a strong disincentive to tampering.

While this situation is not ideal, it is much better then the situation where there is no VVAT - in that case, the voter would either not know that the system had failed at all, or, at best, would still have to give up the secrecy of their vote to demonstrate an error. If the system was competently tampered, the voter would have no way of knowing.

Voters should be encouraged to report any problems they have with voting machines, even if they cannot prove incorrect behaviour. If a significant number of such reports were received, or if there is any evidence of incorrect behaviour, they should be investigated.

These procedures may seem complicated, but one has to remember that, without a VVAT, it is simpler only because errors (or tampering) would not be detected in certain cases (hence, there is no procedure for dealing with it).

Unproven Failure

A situation can occur in which a voter can see that a machine is behaving incorrectly and cannot cast his/her vote as intended (the failure might occur with certain combinations of preferences only), but cannot prove this, since they are not willing to give up the secrecy of their vote.

This is a problem with any DRE system - not a problem with the VVAT. This might occur less often without a VVAT, but that is because such a fault is less likely to be detected without a VVAT. In my opinion, it is better for a voter to not be able to vote than to vote and have his vote recorded incorrectly, unknown to the voter. The latter case preserves confidence in a system which is behaving incorrectly.

Before and After Voting in Each Polling Station

Information printed by the machine before and after polling would be printed using the same printer, but it would not cut the paper. The paper could then be torn off and not put in the ballot box.

Before voting, the agents would be shown that there are no paper ballots in each machine (as well as the existing checks).

After the close of voting:

The printed ballots should be removed from each machine and transported to the count centre. The ballots must not be stored in the machine after the election, since a tampered machine could print extra ballots while in storage or in transit before the audit.
The personation officers would report (to the returning officer and the agents) how many people how been marked off the register for each machine.

As an added security precaution, the paper ballots could be transported separately from the primary ballot modules.

Counting

As each ballot module is read, IES (as modified) would display the number of votes in it. This would be compared to the number of people marked of the electoral register, entitled to vote on that machine, adjusted for anyone who was allowed to vote on a different machine to the one they were registered for. If the number of votes was higher, or significantly lower, this should be investigated and the constituency should be audited.

If it was only slightly lower, it could be explained by people identifying themselves and then leaving the polling station without voting.

A discrepancy could be accounted for by a voter innocently voting on the wrong machine, or an error in the records kept manually of people allowed to vote on a different machine. In these cases, the total number of votes for all machines in a polling station should still equal the total number of people marked of the electoral register for that polling station (except for people who left without voting).

If both copies of a ballot module are corrupted

If a ballot module and its backup are both corrupted, votes from that machine could be manually entered to the system from the paper ballots (this is very unlikely since each module holds two copies of the data).

Deciding Where To Audit

Audits would have to be done on whole constituencies, since if only certain machines in each constituency were audited, the count software, if tampered, could alter votes from ones which were not audited only. This could easily be done if, as I am suggesting, the count centre PC prints reports by machine for use in auditing (tampered software could alter votes from machines for which no report was printed only).

Constituencies to be audited could be decided as follows (by all of the following):

A certain number of constituencies (or other electoral areas) could be chosen randomly. The process must be transparently random, for example, by printing the names of all constituencies on pieces of paper, folding the pieces of paper so that the names cannot be read, mixing the papers and agents choosing one or more of these each.
Each party could nominate a certain number of constituencies (possibly just one each).
This helps to preserve confidence in the system (and to detect errors) when a party has a suspicion about a particular constituency. It also, means that if someone were to rig an election, then rig the random selection, there would still be a risk of the rigged constituency being audited. For this purpose, any group, which has a certain minimum number of candidates nationally, could be considered a party (even if they are a group for this purpose only). There will still be independents who cannot nominate constituencies, so the random selection is important.
Candidates would be entitled to request an audit in certain circumstances, similar to the procedure for requesting recounts in the manual system.
A returning officer could, at his/her discretion, decide to audit his/her constituency.
If a voting machine is found not to have performed according to its specification, in any way, any candidate will be entitled to request an audit of the votes from that machine.
If the counting software is found not to have performed according to its specification, in any way, any candidate will be entitled to request an audit of the votes from that machine. If any part of the system is found not to have performed If there is any evidence of failure of the system or
If an agent presents prima facie evidence on failure of the electronic system in a given constituency, that constituency should be audited.
Notwithstanding any of the other provisions, the courts would have the power to order an audit in any constituency, at the judge's discretion.

When an audit is requested on one of these grounds, the returning officer would make a decision and this decision could be contested in the courts.

Some of these points may require better specifications of the system to be made available (and to be written if they do not exist).

Whenever votes from a backup ballot module are included in the count, the votes from its machine should be audited, since security of the backup ballot module may not have been as tight as for the primary one.

The Importance of Random Sampling

Random sampling (for auditing) is important (even if parties can nominate specific constituencies) so that a minimum probability of a constituency being chosen can be determined statistically.

For example, if one constituency is chosen randomly (out of 42), the probability of any given constituency being chosen is 1/42. However, if a human chooses one, the probability is not necessarily this, because the human may have a bias, and this bias cannot be quantified without a significant amount of past data. The danger is that it might be predictable that a certain constituency would be neglected. If one constituency is chosen at random and one nominated by a person, then the probability of any given one being chosen cannot be easily determined, but it is at least 1/42 (a minimum value for the probability).

Random sampling would also help to assure each voter that his/her vote has a chance of being audited (without it, there might be a perception that the parties never choose a certain constituency).

A decision has to be made on whether the full list of votes from the electronic records of votes is to be published for all constituencies or only for selected ones. With the auditing system I am proposing, it would be necessary to publish these for all audited machines, at least.

Decisions on which constituencies to audit could normally only be made after the electronic system had returned a result in every constituency. Results in each constituency should be considered provisional until they are audited or it is decided that they will not be audited.

Conducting an Audit (A Manual Count or Check)

The votes could be counted manually as in the paper system, but this leads to issues with the random distribution of surpluses. One option is to use pure proportional representation in both the electronic and manual counts. This would be a slow process to do manually.

The system I suggest here is based on pure proportional representation, but instead of conducting a full manual count, the paper ballots for each box (i.e. each machine) are compared to the electronic record of votes.

Briefly, the audit is based on the following:

The electronic system would print a record of all votes cast electronically and this printout would be compared to paper ballots (by the count staff in the presence of agents).
These printouts could be compared to a published electronic record of the votes (by agents).
Steps 1 and 2 combined verify that the paper ballots match the published electronic data. All that remains is to verify that the count of this data matches the official count.
The published electronic record of the votes could be counted electronically, independently of the IES software (by anyone). (For example, using an open-source program).

This system requires some computer literacy on the part of the agents, for them to fully verify the result. However, for an error in the count (Step 3) to be discovered requires only one person in the country to be computer literate enough, opposed to the fraud and interested enough to do the check. For the non computer literate public to see that the count was verified, each candidate (or at least each party) would have to be able to nominate one agent who could do the check. Since only basic computer literacy is required, I don't think that this is a serious problem.

Step 3 also requires each party to either have access to software which they trust to do the count or to do a count manually. The latter is likely to be too expensive. A party would tend to trust a program if either:

It was checked by someone who they trust - this could be a party member, an organisation who they trust (this could be an independent organisation or one with connections to the party) or just an independent person who they believe to be honest or who has a good reputation.
All parties probably have some programmers among their members, one of whom could examine the code of a vote-counting program. It is likely that at least one implementation of the counting algorithm would written in a simple and clear style, possibly with good documentation. Such an implementation would be relatively easy to check, although there is no guarantee that an error would be discovered, especially if it is malicously hidden.
It was written by someone they trust (could be any of the people mentioned in the previous point). The complexity of the program is low enough that most parties could probably do this.

Even if a party does not trust any single implementation, they could use a number of different implementations to verify that they produce the same result. They could choose implementations from people who are unlikely to be in collusion. (There is a potential risk of one of these programs containing malicious code, but since a lot of other people could also be running it, this is likely to be discovered).

It is likely that there would be a few open-source implementations of this software (I know of two being written at the moment, including my own one) available from people with different political interests. Any computer literate person could verify that each of these gives the same result.

Comparison of paper ballots to electronic records of votes could be done as follows:

The IES (count centre) software would print a summary of all votes in the box (see the section Software Changes - IES Software). A copy would be printed for each party or non-party candidate for whom an agent is present, and one for the count staff. The appropriate number of copies would be printed. Then the agent(s) of each party or non-party candidate would choose one copy each and the count staff would give it to them. The remaining copy would then be used by the count staff. In the event that too many copies were printed, an agent or agents (selected by drawing of lots if necessary) would choose a second (or more) copy, so that only one remains for the count staff and it is not chosen by them, nor by the agent(s) of any one party.
The list of all electronic votes is given to the agents in digital form. It is also published in digital form, free of charge, immediately after the audit, at the latest. Ideally, they would be published when the constituency is chosen to be audited. The most practical method, currently, in my opinion, is the Internet.
This could be done before or after Step 3. I propose that it should be before it, as follows:
1. The list of all electronic votes for the same machines as the printed report would be written to CD-R media on the PC running IES. A copy would be produced for each party or non-party candidate for whom an agent is present and wants a copy. One extra copy would be made for the count staff.
2. These discs would be distributed to the agents in the same way as the printed reports were.
3. One of these discs would then be taken to a PC (which does not IES) in the count centre with an internet connection, and uploaded from there to an FTP site or web site, in the presence of the agents.
  Then members of the public could verify the count of these (but not the comparison to the paper ballots) while the audit was in progress. The media used in the transfer should not be reinserted into the PC running IES (in order to avoid the risk of a virus being transferred from the PC with the internet connection).
The count staff would systematically match each individual printed ballot to an item on the printed list of votes, and mark it on the list. A discrepancy is discovered if, at any point in the process, there is found to be more instances of a unique vote (set of preferences) in the paper ballots than in the printed list of electronic ballots (this includes if there is no match at all for one of the paper ballots), or when all votes have been matched, there are votes on the list of electronic votes which have not been matched to paper ballots.
When a discrepancy is found:
- If a paper ballot was found with a set of preferences which does not appear in the electronic record at all, this is definitive and indisputable proof of failure - the electronic result can be declared void even before the comparison is complete. It can be seen by looking at the single paper ballot and the place in the list of electronic votes where the match should be, that the system has failed, so it is very clear that this is an actual failure and not an error in the audit.
- If any other discrepancy is found, the check is immediately restarted (since the most likely cause of the discrepancy is human error in the comparison). This time, as the votes are matched, the paper ballots are sorted into the same order as the list of electronic ones. (This could be done on the first check. The frequency of errors in the paper check would determine whether this would be more efficient). If an error is found this time, it will be easier to verify from the sorted paper ballots.
  - If more paper ballots with a certain set of preferences are found than matching votes in the list of electronic votes, then all paper ballots with these preferences are located from the sorted collection of paper ballots. If there are less paper ballots here than were marked off on the list of electronic votes, then the all paper ballots are re-examined to find any more matching these ones. If more paper ballots than electronic ones are located for a given set of preferences, these are definitive proof of failure. Since there are likely to be a small number of identical votes, it should be very clear that this is an actual failure and not an error in the auditing process.
  - If the electronic list of votes has less of a certain unique vote than there are matching paper ballots, all paper ballots have to be carefully examined to confirm this. If, after rechecking (a few times, if necessary), they are still found not to match, this demonstrates failure of the system.
If the comparison fails, see the section Failure Discovered During Counting or Auditing below.
If they had not already done so, the agents could verify the count of the electronic votes. They could use laptop computers at the count centre to do this.

In The Event Of Failure

It should be accepted that if the electronic system fails, significant expense may be incurred by extended auditing and, possibly, counting votes in another way (even manually if necessary) - this is the price of democracy. The measures discussed in this section are last resorts, which it is hoped would never have to be used.

Failure During Voting

In this case, votes already cast cannot be relied upon. Most of the paper ballots are probably correct, but some may be incorrect due to the voter not checking them.

If the fault is thought to affect only certain machines, those machines could be taken out of service and voters who would have voted on them could use other machines in the same polling station, if there is more than one machine. The machines could be replaced with spare ones. However, it may not be apparent at that stage, whether the fault affects only one machine or is a software bug or design flaw which affects all machines.

One option is to stop using the electronic system and revert to the manual system of voting. This would require stationary and ballot boxes to be kept at each polling station or at central locations from which they could quickly be delivered to a polling station when needed.

If the fault found did not involve printing paper ballots wrongly, and did not prevent votes from being entered as the voter intended, voting could continue until the close of polling, with voters, everywhere in the country, could be reminded to check their paper ballots. Then votes from the affected machines could be entered manually during the count.

After the voting, an investigation would be held to determine the cause and extent of the failure. It would then be possible to assess whether all electronic votes or all paper ballots from the affected machines can be relied upon.

If it is decided that only the paper ballots can be relied upon, then these would be entered manually.

If it is decided that both paper and electronic records should be correct, then the count would proceed as usual, but the affected machines would have to be audited.

Depending on the nature of the fault, the affected machines may be all machines in the whole country.

If it is decided that the paper ballots cannot be relied upon, and that the number of such ballots is enough to change the result of the election, then an election should be held again, in which only the voters who voted on the affected machines vote. The votes cast in this way would replace those from the affected machines in the original election and the count would then be completed in the affected constituencies.

If the cause was determined to be fraud, the election should be held again, if necessary without using the electronic system. I consider this necessary because the full extent of the fraud may not have been discovered.

Failure Discovered During Counting or Auditing

If the system is found to have failed (i.e. produced an incorrect result), three things happen:

Either the fault must be found and corrected in a transparent way (and then the constituency must be fully audited again) or the constituency in which it is found to have failed must be counted by another means.
The audit must be extended, i.e. a greater proportion of constituencies must be audited. If the fault is not identified (and transparently revealed), then any constituency could have suffered the same fault. Therefore all constituencies should be audited. If the fault is identified, then it could be determined which constituencies could have been affected. However, since there is the risk of human error in making this determination, an increased number of constituencies should still be chosen (randomly or selected by agents) to be audited.
An investigation into the cause of the failure is carried out. The first phase of this investigation would involve examining equipment and software. This may be hindered by the fact that the software is not open-source. Procedures should be defined detailing how this examination should be carried out. The agents should be entitled to be given copies of the software installed on any relevant count centre PCs. The aim of this first phase is to localise the fault (determine what parts of the system are affected) and classify the failure as one or more of the following:
1. Human error in configuration or operation of the system.
2. Once-off permanent hardware failure - e.g. faulty of an electronic component, accidental damage to a machine.
3. Hardware malfunction - e.g. cosmic ray or other freak occurrence.
4. Hardware design fault (affects all machines of a particular model).
5. Software bug.
6. Fraud.
If the cause is not fraud, then the investigation becomes a quality control issue. If there is evidence of fraud, a criminal investigation must be held. This investigation must be independent of the government and regulations must require funding to be made available (not at the discretion of the government). The Garda commissioner must be entitled to divert Garda resources to this investigation, at his discretion.

The investigation must be thorough since fraud could possibly be disguised as another type of failure. In the event of fraud, there is no guarantee that the cause will actually be determined as fraud (it could be mistaken for another type of failure or never determined). For this reason, the penalties for fraud must be high, to provide a deterrent.

Paper ballots should be kept for a reasonable amount of time after an election, in case evidence of fraud emerges at a later stage. The continuing risk of being caught long after the event should provide a further disincentive to commit fraud.

If the failure was caused by a software bug, which is then fixed, demonstrating what the fault was would help restore confidence in the system. This can easily be done in an open-source system - once the bug is revealed, programmers can locate it and verify it in a copy of the software which was released before the election. However, in a non open-source system, it is likely that the public will never know whether the failure was caused by tampering or a bug, unless they completely trust the software vendors to tell them this. For this reason, I think that, in a non open-source system, such as this, it would be necessary to audit all constituencies in the event of a failure.

Counting When The Electronic System Fails

I have not specified this in detail yet, but briefly, the options are:

Full manual count.
Manual entry of votes and counting by open-source software for the purpose or more generic software such as a spreadsheet package.
Use of part of the electronic system, for example, using the count software (IES) but entering the votes manually.
Any other method agreed by all candidates and the returning officer.

Use of any method other than a full manual count should require the agreement of all candidates and the returning officer.

If a spoilt vote is supported, it might use one of the buttons which would otherwise be used for candidates (thus reducing the maximum number of candidates in each election by 1).

There would be a facility to define groups of machines (or ballot modules, since one ballot module comes from each machine). When the number of votes cast on a particular machine (on its ballot module) is below a certain threshold, it would be grouped with one or more other machines. These groups would be defined before reading the modules. One of these groups could be selected to print a list of votes for. When a machine is in a group, the system would not print a list of votes for that machine individually nor allow searching for a vote from that machine specifically. Some method combining votes from a number of machines is needed whether a VVAT is used or not (Minister Cullen has promised this), though in the system, as it is now, this could be done by software external to IES.

Evoting

John Lambe

Election	Title of the election.
Electoral Area:	The electoral area (constituency, ward, etc.) in which the machine was used.
Machine(s):	The number of the machine, or all machines in the group. If the ballot module has a serial number, it would also be printed here.
First and Last Votes:	The time at which the first vote and last vote on the module were recorded. This is not essential, but I suggest that recording this on the voting machine, reading it to the count centre PC and displaying it here would be useful.
Start and End of Voting:	The time period during which the machine was in a mode where it accepts votes. Another feature which is not essential but might be useful.
Number of Votes:	The total number of votes cast on the machines (this does not include rejected ones), the number of votes excluding deliberately spoiled ones (if this is supported), the number of rejected votes, the number of times the machine was activated without recording a vote.
Hash (SHA-1):	A cryptographically secure hash of the binary data of the votes on the ballot module (as one block), in a clearly defined format. This is not currently supported by the system, and is not essential, but could improve security if was added and the voting machine printed a copy of it for each agent at the end of polling.
Printed at:	The time at which this report was printed, the page number and number of pages.
Count PC serial number:	Any unique ID of hardware in this PC. For example, it could be an Intel CPUID.
Ballot module read at:	The time at which the ballot module was read by the count centre PC. If any votes were entered manually (see point 3 below), the number of such votes would be shown here also.
Voting machine model:	The model of voting machine used, and the revision of the motherboard, if applicable and available.
Voting machine software version:	The version number of the firmware in the voting machine.
IES version:	The version of the software on the count centre PC.