A computerised system is being used for the first time in the 2016 election count for the Senate, and only part of its process is open to scrutiny, write Roland Wen and Richard Buckland.
OPINION: A computerised system is being used for the first time in the 2016 election count for all Senate ballot papers to capture voters’ preferences.
On the surface, this process, conducted out of the public gaze, may not seem to have significant risk compared to electronic voting and electronic counting. However, it has similar risks to full-scale electronic voting.
Electronic election systems can fail catastrophically (wrong person elected), irreversibly (hold the election again?) and invisibly (could I notice if my vote was counted incorrectly?). This is significantly different from commercial systems such as electronic banking.
Accordingly, electronic election systems need to be engineered extremely carefully to control the risk and rate of flaws and bugs, and be developed and operated openly with scrutiny so that bugs, errors and vulnerabilities, which will inevitably be present, can be detected before they have a difficult-to-reverse impact.
However, the new Senate vote capture system had to be built rapidly, with little time for design or testing, and is being operated in a way that allows only part of the process to be scrutinised.
There are risks that time pressures over the next few weeks may encourage shortcuts to be taken that would further reduce the level of scrutiny, and also reduce the integrity of the vote capture process. This new system may well prove to be the weakest link in the election process.
The new vote capture system is a consequence of the Senate voting rule changes made in March – voters are allowed to mark multiple preferences for both above-the-line and below-the-line voting. As a result, the vote preferences in all Senate ballots must be captured for electronic counting.
Previously, multiple preferences were allowed only for below-the-line voting, which occurred in just 3% of Senate ballots. With the new voting rules nearly 100% of ballots have multiple preferences.
To handle the substantial increase in data entry volume, a more efficient vote capture system needed to be rapidly developed.
The new system scans each Senate ballot and determines the preferences using optical character recognition (OCR) software. A human operator may check and correct these preferences as needed. Separately, another human operator views the scanned image and manually enters the preferences.
The computer’s preferences and the manually entered preferences are compared. If they don’t match, the preferences are corrected by a different operator.
Senate vote capture process (recommended additional steps shown with dashes). Authors
Scrutineers can observe this process as it is happening and intervene if they notice anything being entered incorrectly.
This process has commendable features. The dual checking of preference marking is important: OCR software has notorious difficulties correctly interpreting the highly variable handwriting of millions of voters.
With all automated election systems (voting, capturing, counting) the key danger to be controlled is of the votes eventually counted not being the same as those cast by the voters.
The impact of even infrequent errors is amplified in the current Senate vote capture system because all votes are potentially affected, rather than the smaller proportion of votes processed in previous elections.
Suppose an optimistic capture accuracy of 99.9%. In New South Wales, which has 4.6 million Senate ballot papers, there would be about 4,600 incorrect votes. This could easily change Senate outcomes.
In reality, the capture accuracy could be reduced by a number of critical weak points in the system:
operators making corrections could introduce deliberate or unintentional errors: vote tampering by officials has been reported in the past;
all scrutiny and checking is against a displayed image of a ballot, not the physical ballot itself. Vote changes due to accidental or malicious bugs in the image scanning or display software will be entirely invisible to operators and scrutineers;
operators and scrutineers working long shifts will make mistakes and overlook errors. This is exacerbated by fast processing of ballot papers as part of the system’s design, and by potential shortages of scrutineers; and
mounting time pressure over the coming weeks could lead to manual checks and scrutiny being reduced or dropped to speed up the process.
Another critical vulnerability is that votes could be altered by tampering or error after capture but before being transferred to the counting system. The current process doesn’t provide a way for the Australian Electoral Commission or scrutineers to check that the system preserves vote integrity.
This is an underlying problem with election technology: scrutiny requires highly specialised skills to check what is electronic, invisible and cryptic. And candidates with concerns over undetected technological bugs and failures currently have no recourse aside from general provisions for recounts.
It is essential that a random sample of the paper Senate ballots be checked against the final published electronic votes used for counting. This will help assure the integrity of the entire vote capture process.
To mitigate the emerging risks of election technology a new approach to scrutiny and transparency is necessary.
A good first step, already adopted overseas (such as in Norway), would be to establish an independent electronic election board to provide oversight and scrutiny of election technology. This board would consist of experts from a range of fields, including election management, failure-critical engineering, security, risk, audit and statistics.
With technology increasingly pervading elections, immediate steps towards effective, meaningful scrutiny of election technology is the only way to maintain trust in Australia’s traditionally high-quality electoral process.
This article was co-authored by Ian Brightwell, former director of IT at the New South Wales Electoral Commission.
Roland Wen is a Visiting Fellow, UNSW.
Richard Buckland is an Associate Professor in Computer Security, Cybercrime, and Cyberterror, UNSW.
This opinion piece was first published in The Conversation.