technology assisted voting nsw state election 26 march 2011
TRANSCRIPT
1
Technology Assisted Voting
NSW State Election26 March 2011
Ian Brightwell, CIO NSWEC & iVote Manager
2
Background – Other Jurisdictions
• History in Australia– The Australian Electoral Commission in 2007 used a remote
electronic voting system for ADF, then in 2008 used an in polling place system.
– Victorian Electoral Commission had provided electronic voting at 2006 and 2010 elections principally for disabled electors
– ACT uses in polling place system for all polling places which allowed some 44,000 people to vote in 2008
– Tasmanian Electoral Commission trialled one voting kiosk in 2007 election.
Background – Other Jurisdictions (cont…)
• Overseas– Estonia has conducted the largest remote online parliamentary
election in 2011 where 140,846 voted using the internet out of 913, 346 electors
– Brazil uses voting machines in large number of polling places– India used over 1M voting machines in 2004– Switzerland used a remote electronic voting system– Other countries – Britain, Ireland, Canada, New Zealand, US
3
Why Technology Assisted Voting
– Interest groups representing electors with a disability or a vision impairment requested accessible and private voting options
– Judicial decision to provide braille ballot papers existed– In March 2010 the NSW Government requested a feasibility
report into electronic voting for NSW State General Election 2011
– Report tabled in NSW Parliament September 2010– Parliament endorsed the report and appropriated funds for
implementation– iVote legislation passed on 2 December 2010 with an
amendment to include electors outside NSW on polling day
4
The Project
• Cost – $3.6M• Team
– NSW Electoral Commission - me– Core Voting System Supplier – Everyone Counts (on/off shore)– System Integration – Logica – about 6 (on site)– Testing - Birlasoft – 1 onsite and 1 off shore– Experts – 4 other specialists– Call Centre staff and management
• Timeline– Report start March 2010– Team ramp-up September 2010– Wrap-up end of March 2011
5
6
Technology Assisted Voting basics
• What is iVote?– Voting by phone using as standard handset and DTMF tones– Voting over the internet using a standard web browser
• Who can use iVote?– Electors who are blind or who have low vision– Physically incapacitated or illiterate electors who could not vote without
assistance– Disabled (within the meaning of the Disability Discrimination Act 1992)– Rural voters (live more than 20km from a polling place)– Electors outside NSW on Election Day
• Electoral Commissioner approves procedures –registration, secrecy of ballot, security of systems, scrutiny of ballot papers printed from the virtual ballot box
7
Technology Assisted Voting basics (cont…)
• Registering for iVote– Person must be on NSW electoral roll when writ issued in order
to register– Elector can apply to register by phone to call centre or self
service web browser over internet– Elector provides a 6 digit PIN at the time of registration– NSWEC provides an 8 digit iVote number when registration is
accepted– iVote number is delivered by post plus if requested SMS and
email and to disabled by telephone– Registration commenced on 17 February and finished on 23
March 2011 (2 days before election day)
Technology Assisted Voting basics (cont…)
• Candidate details– Captured during nominations process– Published on NSWEC website after close of nominations as both
text and sound files– Candidates have 2 days to listen to sound files and advise
NSWEC of any mispronunciations– Male and female voice to distinguish between voting instructions
and candidate/party names– Details loaded to IVR and web systems 2 days after close of
nominations
8
9
Technology Assisted Voting basics (cont…)
• Using iVote– Voting to take place between 8am Monday 14th and Friday 6pm
25th March 2011 (the same as pre-poll period)– Elector must have PIN and iVote number to vote– iVote by Phone follows the Telephone Voting Standard from
Electoral Council of Australia– The Legislative Assembly ballot is presented first, followed by
the Legislative Council ballot– A voter receipt is provided for votes cast and accepted by phone
or internet– Receipt can be checked from 28th March by entering iVote
number on phone or web to hear/see the same receipt
10
Getting the iVote message out
• Promotions directed to target groups including:– Blindness and disability support groups– Direct mail to remote electors– Radio advertising on 2PRH– Call-out campaign by Vision Australia
• Two weeks of print advertising across NSW• Internet advertising targeting people outside NSW • Facebook, Twitter and YouTube promotions• iVote information included in some general advertising• iVote posters in RO offices• Information of NSWEC web sites
11
Registrations
Applications
Application Ground Call Centre Web Browser TotalUnique
Electors
People outside NSW on polling day 7,375 40,074 47,449 47,038
People who are 20km from a Polling Place 419 1,415 1,834 1,830
People with Disabilities 350 1,123 1,473 1,457
People who are blind or have low vision or are illiterate 376 413 789 778
Total 8,520 43,025 51,545 51,103
Registrations by Day
12
0
1000
2000
3000
4000
5000
600017
-Feb
-11
18-F
eb-1
119
-Feb
-11
20-F
eb-1
121
-Feb
-11
22-F
eb-1
123
-Feb
-11
24-F
eb-1
125
-Feb
-11
26-F
eb-1
127
-Feb
-11
28-F
eb-1
11-
Mar
-11
2-M
ar-1
13-
Mar
-11
4-M
ar-1
15-
Mar
-11
6-M
ar-1
17-
Mar
-11
8-M
ar-1
19-
Mar
-11
10-M
ar-1
111
-Mar
-11
12-M
ar-1
113
-Mar
-11
14-M
ar-1
115
-Mar
-11
16-M
ar-1
117
-Mar
-11
18-M
ar-1
119
-Mar
-11
20-M
ar-1
121
-Mar
-11
22-M
ar-1
123
-Mar
-11
24-M
ar-1
125
-Mar
-11
Web
Call Ctr
Registration FinishVoting Starts
Voted
13
Application Ground Phone Web Browser Total
People outside NSW on polling day 1,780 41,477 43,257
People who are 20km from a Polling Place 101 1,542 1,643
People with Disabilities 160 1,136 1,296
People who are blind or have low vision or are illiterate 218 450 668
Totals 2,259 44,605 46,864
Voters by Age and Grounds
14
Web Voting
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
18 - 34 35 - 49 50 - 64 65 +
Blind, LowVision,Illiteracy
OutsideNSW
Disability
20 km frompolling place
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
18 - 34 35 - 49 50 - 64 65 +
Phone Voting
Voters Year of Birth
15
0
200
400
600
800
1000
1200
1400
1600
1911
1914
1916
1918
1920
1922
1924
1926
1928
1930
1932
1934
1936
1938
1940
1942
1944
1946
1948
1950
1952
1954
1956
1958
1960
1962
1964
1966
1968
1970
1972
1974
1976
1978
1980
1982
1984
1986
1988
1990
1992
Web
Phone
Votes taken by day
16
0
1000
2000
3000
4000
5000
6000
7000
8000
9000
Web
Phone
Close of Registration
Average Votes per hour during a day
17
0.00
50.00
100.00
150.00
200.00
250.00
300.00
350.00
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
Web
Phone
Peak Time 7 to 9pm
18
Election Day Processing
• Re-organise the space to set-up 8 printers
• Printing voter preferences– Scrutiny (has a vote already been accepted?)– Unlocking the system by quorum (3 of 5) of Electoral Board– Decryption of votes and printing ballot papers
(all on special A4 paper with LA printed 3 per sheet and then cut)– Despatching to Returning Officers– Scrutineers
Registration Process
19
PSTN
NSWEC Registration
SystemNSWEC Data Ctr.
iVote Acknowledgement Letter distribution by mail to enrolled address
iVote Registration System
Elector
Call Ctr.
Applicants not on Authorised Roll
Mail-Merge of data with appropriate
templates
Registered iVoters with PIN
iVote Credentials for distribution by mail, SMS, email
Credential Distribution
NSWEC Data Ctr
Letter to Applicant
Email Distributionvia SMTP gateway
SMS Distributionvia exetel gateway
Call Ctr.
File of electors to call with iVote number
Letters sent (possibly via mail-house)
iVote Credential Management
See – iVote Voting System Diagram
PSTN & Internet
Voting Process
20
Applicant load and Credentials process
Voting
Election Configuration
Vote decryption and Printing process
iVote Voting System
Scrutiny process
PSTN
iVote Core systemData Centre
iVote Credential Management
“eGad”Stand-alone
Registered iVoters with PIN
NSWEC Registration
SystemSee – iVote Registration
System Diagram
iVote Decryption Management
“eGad”Stand-alone
Ballot Paper PDF image creation
“eGad”Stand-alone
Ballot Papers PDF image
Ballot Paper Print SystemStand-alone
iVote Credentials distribution by mail, SMS, email
Ballot Paper Reconciliation
Rpt.
Elector votes
iVote Voters;Election, Elector ID
EMA iVote ScrutinyNSWEC Data Ctr.
Ineligible Voters Report
Credential DistributionSee – iVote Registration
E1C components
iVote Votes;Election, District, Candidate/Group, Preferences
Ballot Papers
iVote Configuration & Setup SystemStand-alone
NSWEC Configuration Data
See – iVote Configuration Data
Diagram
iVote Election Configuration; Districts, Candidates, Groups/RPP and Voice data
Ballot PapersBallot Papers
iVote Voters by iVote Number
CB Perl script & data (to add SPID & elector details)
Ballot Paper First Pref Count
Stand-alone
CB Perl script & data (to store
iVote No. to SPID)On eGad machine
No elector details loaded
First Pref. Results data Rpt.
22
Security of Remote Electronic Voting
• iVote Integrity– Independent development of a test standard– Extensive testing including; intrusion testing and usability testing– Independent audit reports before and after the election
• Offence for hacking/tampering– The legislation for technology assisted voting introduced
offences with a maximum penalty of $11,000 and 3 years
Security Approach
• Registration and Voting– Every registrant had a letter sent to their enrolled address
verifying they registered for iVote. They were asked to contact NSWEC if they had not registered for iVote to identify if any impersonations occurred (no complaints were received)
– Over 99% of registrants who tried to vote using iVote voted successfully i.e. about 250 voters who tried to vote failed.
– Elector sent iVote Number which entitled them to vote once.– If elector was not able to vote with their iVote Number or forgot
their PIN, the elector could re-register and be issued new iVote Number, the old vote was deleted. This meant anyone steeling credentials had their vote removed.
23
Security Approach (cont…)
• Vote Security– To vote you need credentials (Two Factor security)
• PIN Number provided by voter not known to election officials – 6 digit
• iVote Number provided by NSWEC – 8 digit– No voter details held on core voting system
• Only a hash of the PIN and iVote Number held on voting server to be used for authentication of entered values by user
• Hashing done using large “salt” to make more difficult to break encryption using brute force approach
– Only allowed to vote once. Able to “delete” encrypted votes of electors who have voted or should not have voted
– Issued receipt upon completion of successful vote which the elector can use to check their vote has been correctly processed after election closed
24
Security Approach (cont…)
• System Security– Computer system locked at commencement of election and only
Electoral Commissioner and iVote Manager have “keys”– Passwords to electronic ballot box held by 5 trussed people.
Quorum of 3 needed to open or close ballot box– Electronic ballot box closed (encrypted) at beginning of election
such that the contents of votes put into the box are not visible to anyone. Votes in electronic ballot box are like postal votes inside an envelope
– Electronic ballot box opening (decrypt) when election closed separating the vote from the voter and allowing vote to be printed
– Opening and closing of box witnessed by scrutineers
25
Scrutiny
26
• Paper System– Candidates/Parties nominate persons to observe vote counting
processes on election night operations in polling place and post election night in Returning Officer offices
• iVote System– System scrutinised by independent software auditors for security
and integrity of key software and encryption processes– System tested by independent testing company– Voting system audited against iVote Standard by PWC– Encryption and decryption process witnessed by scrutineers– Ballot Printing and reconciliation process witnessed by
scrutineers and reconciled to expected votes from decryption and log file data
– Counting of ballots done using standard counting and scrutiny
27
The vast majority of comments are positive
• Twitter:– “Kudos to Electoral Commission NSW for iVote system.”– “Just voted online in the NSW State Elections. Impressed I can
now vote online. Not so impressed at the candidates.”– “Still overseas and voted today for NSW election using iVote
online. Surprisingly efficient and easy.”• iVote feedback via email, survey monkey and voicemail:
– “To let you know the iVote online voting is brilliant. Hopefully we won't need to be overseas to use it next time. Thanks to all involved in providing the service”
– “It's NO WONDER people don't vote,who was the brainless moron who developed you ivote website?They should go back to MacDonalds although I doubt they could hold down a job there(they require a modicum of intelligence)”
Incidents
• Operator Error– 1026 Electors receiving seven-digit PINS– 842 Reminder to vote being sent to people who had already
voted
• Infrastructure Failure– 37 minute failure between iVote data centres – no lost votes– 9 minute outage of live iVote system – no cause identified
• Programming Error– iVote by Web allowing letter “N” onto 43 ballots due to java script
error
• Voting problems– About 175 voters appeared to experience problems voting
29
Lessons Learnt
• Governance drives every aspect of the project• Not really a technology project• In house team with supplier technology support• More time – 6 months is not enough for implementation• Test, Test, Test – Useability, Functional, Stress, boundary• Test Harness – need to simulate election in final
production environment under worst conditions• Supply must lead demand or suffer the consequence• The little things count (it is amazing what you think is
obvious and the rest of the world does not see).
30