back to article Samba man 'Tridge' accidentally helps to sink request for Oz voteware source code

Dr Andrew Tridgell, creator of the Samba file server and the rsync algorithm, appears to have inadvertently helped to sink a freedom of information (FOI) request for access to the source code of software used to count votes in Australian elections. Tridgell was called as a witness by Hobart lawyer Michael Cordover, who sought …

  1. Anonymous Coward
    Anonymous Coward

    So profit takes priority to fair elections? Nice to see them actually saying it.

    1. Anonymous Coward
      Anonymous Coward

      > So profit takes priority to fair elections?

      That's exactly what I came here to say.

      Nice to see that someone else thinks alike.

      Not so nice to see that those who are directly responsible do not think alike.

    2. Anonymous Coward
      Anonymous Coward

      Can someone from Australia fill us in

      Is the AEC is a government body? If so, why should it care about the value of its source code? Has the AEC ever licensed software or other IP previously? Is that part of its mission? Is this sort of thing common in Australian government?

      It seems to me like this "but it has value that would be lost" is just an excuse to keep the process hidden. At least in the US the argument has some legitimacy, since private for-profit corporations developed the software running our elections. Yes, obviously that's not a good thing, but at least when we're told we can't look at the source code we understand why. Australia has accomplished the hard part of this already - having a government body in charge of the election software.

      Letting the AEC keep that software hidden makes things WORSE for Australia than in the US! At least here there are multiple companies that are supplying voting machines, so it is harder for one company to tilt the elections (other than a close presidential election, due to the small number of 'swing' states that matter when it is tight) or for an incumbent government to remain in power by corrupting them (since the other party can always come up with more money to corrupt them the other way) In Australia the government itself runs the elections, so a corrupt incumbent government could seemingly guarantee they remain in power forever...

      1. Concrete Gannet

        Re: Can someone from Australia fill us in

        Yes, the Australian Electoral Commission is a statutory agency of the Australian government (http://www.aec.gov.au/About_AEC/index.htm).

        As well as conducting Australian elections, it conducts elections for other bodies like trade unions and I seem to recall it has also made some export sales of EasyCount. The EasyCount software at the heart of Michael Cordover's request is a money-making product for the AEC.

        As others have observed here, it seems AUD 18m a year of revenue trumps the right to verify that elections are fair.

        Sadly, public sector agencies in Australia often try to derive commercial value from their assets. There is considerable institutional resistance to open data. For example, the public sector mapping people have only just made geocoded address data freely available (https://blog.data.gov.au/news-media/blog/geocoded-national-address-data-be-made-openly-available); it used to be very expensive to get access to that data. Vital statistics registries have made profits from publishing birth, death and marriage data for family history researchers.

        My understanding is that in the US there's a general culture of "the taxpayer has already paid for it, so the taxpayer should have it without further expense". That hasn't been the case in Australia.

        While it's conceivable an incumbent government might attempt to tell the AEC to rig an election, it would be nigh-impossible to pull off. The AEC is an arms-length independent body. It determines electoral boundaries, and we don't have gerrymandering. If there is any flaw in EasyCount that allows an election to be miscounted or even rigged, I think it likely it would be by accident and not design.

  2. mathew42

    Is source code necessary to validate correctness?

    While I support releasing the code as open source, I'm not convinced this is necessary. If AEC provide the software, then numerous test cases can be written to validate the output for different voting platforms.

    Obviously there is some level of trust that the binary is the same one used on election night and the binary doesn't contain logic that is only triggered in certain scenarios, but appropriate validation and testing should be able to give a reasonable level of confidence. Even with the source code there is no guarantee that the source code is not altered before the binary is built.

    Alternatively, the government could consider that the preferential voting system used in Australia is superior and that propagation of the model would enhance democracy around the world.

    1. Anonymous Coward
      Anonymous Coward

      Re: Is source code necessary to validate correctness?

      I've done some thinking on this previously, and while it's a "nice to have", you are correct regarding trust: there's no proof when you walk into a polling booth that the computer used there runs the code you inspected.

      You do not have the time or access to inspect it closely enough to detect the difference, and so it could be running that code, or it could be running a complete look-a-like, with completely different guts. You'd never know.

      Ultimately, you're putting trust in the AEC regardless, even if they do everything by hand.

      1. Anonymous Coward
        Anonymous Coward

        Re: Is source code necessary to validate correctness?

        Just need to be able to take a hash of the codebase on the machine - doesn't hash to a known good version => inadmissible - or some other similar verification scheme using a trusted third party or two with NDAs to cover code confidentiality with source code that is compiled on a "standard" system in a reproducible manner to created the hash-able base. Make sure codebase runs on independent standardised or open hardware thereby removing sub-codebase gaming.. It really isn't an insurmountable issue.

        1. Charles 9

          Re: Is source code necessary to validate correctness?

          Having an open codebase does squat against a hardware subversion (and El Reg has had articles about that such as subverted hard drive firmware), and given the importance of elections, you have to assume someone will have the resources to secretly subvert any voting machine maker to hide a secret code in a normal-looking chip that only gets activated on a secret code set at the hardware level, otherwise totally invisible. How do you battle something that resourceful?

      2. LucreLout

        Re: Is source code necessary to validate correctness?

        @Stuart Longland

        Ultimately, you're putting trust in the AEC regardless, even if they do everything by hand.

        Yes, I'd agree with that. However, what you're also doing is putting your trust in the quality of AECs developers. With a code release, it becomes easier to validate that the software is fit for purpose and contains no obvious security flaws.

        I also wonder what their InfoSec status is, given the affect of altering the code in their main repository, I'd hope there is some sort of independent verification of their process & procedures. That's no slur on AEC, lest they let rip the dogs of law, I'd make a similar assertion regarding all e-voting outfits.

    2. Flocke Kroes Silver badge

      Re: Is source code necessary to validate correctness?

      Test cases sufficient? Ask VW.

      Personally, I think this software has no value in elections until the source code is available for review. This also makes to possibility of secret illegal copying impossible: whoever copies it is going to have to provide the 'their' source code for verification, leading to immediate proof of illegal copying.

      I like to idea of machines counting bits of paper, because that leaves a permanent record that can be verified.

      1. a_yank_lurker

        Re: Is source code necessary to validate correctness?

        If the application is critical to public's trust in something, elections in this case, then the code must open sourced for anyone to inspect. Test cases only mean for those cases the code appears to give the correct result. By extension, it is assumed the code will always give the correct result. If one knows the test cases, one can game the system, ask VW.

        1. Anonymous Coward
          Anonymous Coward

          Re: Is source code necessary to validate correctness?

          If the application is critical to public's trust in something, elections in this case, then the code must open sourced for anyone to inspect.

          So when you walk into the polling booth, how do you determine that the computer is running a compiled version of the code you inspected? Even worse, how do you tell when the computer is only used by election staff?

          How do they tell the difference between someone just wanting to satisfy their own paranoia and someone who wishes to implant malware that would influence the election result?

          Those who say to display a hash … I could make that code display any hash that I wanted, there's no proof that it's the real one.

      2. Martin Gregorie

        Re: Is source code necessary to validate correctness?

        No, I don't think it is. What IS necessary is that the specifications for the voting software should be published and that they should be sufficiently detailed for a competent team to develop a comprehensive test suite from it that includes a set of test cases capable of exhaustively checking the conformance of the voting software to the published specification. All such test suites should be open sourced so that they can be independently verified should their results be challenged.

        Electoral law should require that any voter can check the voting software by using a test suite developed from the voting software specification and that, should a independently verified test suite show the voting software is non-compliant with the published specification, the election will be declared invalid.

        This approach allows the voting software to remain proprietary while still allowing it to be functionally verified against its public specification.

        1. Charles 9

          Re: Is source code necessary to validate correctness?

          But what's to prevent the voting machine pulling a VW: what I would call being a Janus, putting forth two different faces during testing and during actual use, and if it's done at a low enough level, there's no way for the testers to tell the difference between them, even if they have access to the source code (as someone said, there is no proof that the compiled open source you obtain is the same that is used in actual production, which may be hidden away in a component such that you can't detect it without expensive equipment).

      3. maffski

        Re: Is source code necessary to validate correctness?

        'Test cases sufficient? Ask VW'

        In software terms I'd trust a proper suite of test cases more than code reviews.

        1. streaky

          Re: Is source code necessary to validate correctness?

          In software terms I'd trust a proper suite of test cases more than code reviews

          In software terms you can't write them without knowing the code, and you still can't prove from tests it's not open to being subverted. To prove that even on a software level directly you'd have to have the source, use reproducable binaries, prove those reproducable binaries are actually in use and also assume there's no man behind the curtain manipulating data in memory. Throws up all kinds of issues and all of them won't be understood at all by the average returning officer.

          A returning officer understands bits of paper in a pile and can check counts by sampling.

          Electronic counts are manipulatable by the average 7 year old, there's no checks/balances and I'd never trust one.

      4. Anonymous Coward
        Anonymous Coward

        Re: Is source code necessary to validate correctness?

        Actually, VW did know the test cases in advance, and was able to code against them. Also, the test cases were truly "artificial" and didn't cover real driving conditions, so they were easier to spot.

        Test performed by different entities on true running cars yeld the true data. Good tests should not let the tested system "understand" if it's being tested or not.

    3. streaky

      Re: Is source code necessary to validate correctness?

      Is source code necessary to validate correctness?

      I defer the answer to this question to the Volkswagen Group.

      Also.. yes?

      The answer to this question is to not use code produced in commercial interest - or have it produced by a commercial interest paid by the state with the state taking full ownership of the finished product and source.

      Even when it's built as desired there's no way of telling it isn't being manipulated - frankly electronic counts are idiotic; but then are so all other ways of counting votes.

      Not for nothing the central issue is that the core functionality of the system - to count things - is something developers can make work quite easily, there's no reason why the core classes of that functionality can't be released and checked by the public for accuracy.

    4. gobaskof

      Re: Is source code necessary to validate correctness?

      I doubt they will be happy to freely allow an executable version of the code to be available to all who wish to test it. They would need to do this along with enoug description of the required inputs and outputs.

      Even then, personally I am uncomfortable using people analysis code unless I can see the source. While yes I can run some test cases, it is nice to be able to dissect the code to know what mistakes might happen. And to be able to output what is happening in the middle of some analysis. If the analysis is difficult enough it is hard to know who made the mistake when two codes disagree. At this point is is nice to be able to run through both with a fine-tooth comb until you find out what the source of the disagreement is, and from there who made the error.

    5. swm

      Re: Is source code necessary to validate correctness?

      Just a side note - the engine control software used in commercial airplanes is considered proprietary and cannot be inspected by the regulatory bodies. So the regulatory bodies rate the software by how many hours of successful flight hours the engine has flown with the software. And yes, there have been bugs.

      I want a ? icon.

      1. streaky

        Re: Is source code necessary to validate correctness?

        cannot be inspected by the regulatory bodies

        I'd be surprised but also somewhat alarmed if this was true. As a software developer and somebody who used to build (mechanical) bits of aircraft for a living there's all kinds of precident for aviation authorities to say "this aircraft isn't fit to fly" if boeing/airbus et al refused to comply with such demands. How well it's tested and if the authorities are competent to actually deal with aviation software is another question entirely, but assuming it's true it raises all sorts of red flags.

        I'd be interested in the source of that information.

    6. Concrete Gannet

      Re: Is source code necessary to validate correctness?

      Michael Cordover has made associated FOI requests for test plans, test data and test harnesses external to EasyCount itself. If the sole purpose of the AEC's objections was to preserve the commercial-in-confidence status of EasyCount itself, they should have had no objection to making their tests freely available.

      But they haven't. My guess is the tests aren't all that good.

    7. This post has been deleted by its author

  3. Anonymous Coward
    Big Brother

    Somewhat disingenuous headline

    My reading of the article here does not lead to the headline. As presented, he (Tridg) appears to have answered the questions put to him. He was accepted as an expert witness and seems to have acted as such. How his answers were interpreted is up to the court - not him. The outcome, ie judgment of the court is also not up to him.

    As I'm also a regular /. reader I wont bother following up the links but simply jump to conclusions: Mr Cordover's questioning of Tridg was not sufficient to get the sort of evidence he needed out of his expert witness.

    1. Adam 52 Silver badge

      Re: Somewhat disingenuous headline

      If you do read the link then it's fairly clear, as the article says, release of the source would enable competitors to see what and how the software works and that's a valid reason to reject an FOI request.

      The Court doesn't seem to address the scutineer's concern that he had no way to validate the count, possibly that's down to how the case was argued.

      1. Anonymous Coward
        Anonymous Coward

        Re: Somewhat disingenuous headline

        > release of the source would enable competitors to see what and how the software works

        Yup. That's exactly the point.

        > and that's a valid reason to reject an FOI request.

        No, it is not a valid reason. For one thing, I would have thought fair elections are more important than someone's business concerns. For another, it seems rather reasonable that one should be able to inspect the workings of vote counting software in order to ensure correctness and fairness. One way to achieve this is to require that any product used for this purpose be open source--this would not stop competitors from copying from each other (obviously, that's contrary to how FOSS works) but it would level the field somewhat and ultimately provide the users (that is to say, the voters) with a better system.

        Is it possible that Mr Cordova, while well intentioned, has not chosen the best way to approach this issue?

        1. Concrete Gannet

          Re: Somewhat disingenuous headline

          An FOI request is cheap and, if successful, would achieve the goal with minimal effort. Now it's clear the AEC won't part with the code, we need to lobby politicians to change legislation, either to 1. mandate open source software where the public interest is strong enough, such as for elections; or 2. change FOI legislation so that public interest trumps commercial considerations, and not the other way around.

          Either change would be difficult to achieve and would require a public awareness and lobbying campaign, instead of an FOI request by one person. Michael Cordover did things in the right order.

      2. Lars Silver badge
        WTF?

        Re: Somewhat disingenuous headline

        "as the article says, release of the source would enable competitors to see what and how the software works and that's a valid reason to reject an FOI request.".

        I suppose there must be lots of countries with the same voting system in this world all drooling to have a look at this secret source code. Please.

    2. Simon Sharwood, Reg APAC Editor (Written by Reg staff)

      Re: Somewhat disingenuous headline

      FWIW I think Tridge just said what he believes, even though it was not all going to be helpful to the cause of accessing the source code for easycount. The presiding officers of the tribunal took his entirely reasonable concession that someone could behave badly with the source and made it a major point in their decision.

      1. Havin_it

        Re: Somewhat disingenuous headline

        Per the petitioner's quote at the end, it certainly doesn't sound like he has any axe to grind over Tridge's testimony. As a lawyer I'd certainly hope and expect that he be sanguine about expert witness testimony not going his way; it's always a risk unless your expert is corrupt (yeah I know, don't start) and it seems like he acknowledged that. He simply has to fight the next round (as he seems keen to fight on) on a new tack, whatever that may be.

        It would be nice if he ultimately prevented this state of affairs from arising again at least; IMHO, e-voting should only be even considered on a 100% open hardware and software stack.

  4. bep

    Voting is done on laaaarge paper ballots

    There are no voting 'machines' in Australian elections. But at some point the count is obviously computerised, a fact of which I was previously unaware. Time to make my feelings known to my representative.

    1. Alan Brown Silver badge

      Re: Voting is done on laaaarge paper ballots

      The thing is, with large paper ballots, if there are questions about the veracity of the software, then in _can_ be audited.

      Unless you pull a swiftie and shred the ballots after counting, as has happened in several USA elections.

  5. Adam 1

    They are correct that easycount should be able to say no, but that should immediately discount them from being considered.

    Dear AEC, How about a kick starter go fund me thing for an open source implementation? The algorithm is hardly rocket science.

    1. P. Lee

      >How about a kick starter ...

      How about the govt hires some devs and pays them for the code which it can then release for inspection. What is this Kickstarter nonsense?

      Election operations should be transparent, not outsourced to some company which can hide what it is doing.

      1. Adam 1

        It means that they can't hide behind the we can't afford it excuse.

      2. Charles 9

        The only way the election process can possibly be truly transparent is to do the whole thing by hand: otherwise, any form of automation or mechanization can be construed to change the results in a way human senses cannot detect. The entire process from start to finish must be able to be seen by our innate senses. But then how do you process hundreds of millions of votes by hand in a timely manner and on a budget (and no, two out of three is not acceptable when whole countries depend on the results)?

        1. Adam 1

          If your vote counting software is hundreds of millions of LOC, I can already spot a problem.

        2. Tom 38

          The only way the election process can possibly be truly transparent is to do the whole thing by hand

          Fairly certain you can rig an election with paper ballots too - substitute one box of votes for another box of votes during transit to the counting station.

          1. Alan Brown Silver badge

            "substitute one box of votes for another box of votes during transit to the counting station."

            Australian and NZ polling stations are also the counting station, normally with observers present from all parties who all sign off on and seal the package of ballots before it's sent to the central station.

            Counting is generally completed very quickly at each polling station, unless it's close, in which case everything gets recounted more than the usual 2-3 times.

            Incidents of ballot tampering are effectively non-existent. (Voter tampering is another matter)

            1. Pompous Git Silver badge

              Counting is generally completed very quickly at each polling station, unless it's close, in which case everything gets recounted more than the usual 2-3 times.

              Incidents of ballot tampering are effectively non-existent.

              Unless you consider the horse trading between scrutineers as "ballot tampering".

              "I'll let you count that vote as valid if you let me count this one as valid..."

              There's nowt like a good scrute on election night I always say ;-)

          2. Concrete Gannet

            Yup, but you just rigged one millionth of the vote, not the entire election.

        3. Alan Brown Silver badge

          Australian elections

          "The only way the election process can possibly be truly transparent is to do the whole thing by hand"

          The Australian balloting process is so mindnumbingly complicated that only a machine has a fair chance of coming up with an answer in a reasonable period after polls close.

          It was one of the options offered to the New Zealand electorate when they voted to ditch FPP and came dead last (NZ went for Supplementary Member, aka MMP, which is hard to game and impossible to gerrymander).

      3. Trixr

        >How about the govt hires some devs

        For this govt, anything third party or outsourced is better than what you can come up with in house. For 99% of things, I actually agree with using third party if it's an established product. For counting the nation's votes, nope, it should be written in house, with the Aussie govt's IP and no third parties getting in the way. And no excuses for releasing the code.

        I have to say the Aussie preferences system is a pretty crappy kind of proportional representation, and the "resellability" of such code would be limited anyway.

    2. Anonymous Coward
      Anonymous Coward

      Both the code and the required computing devices are quite simple. Governments could hire a University to put together the required hardware, device drivers and source code. All of which could be completely open source. It would neither be overly expensive nor complex.

      1. Someone Else Silver badge
        FAIL

        @ AC:

        Both the code and the required computing devices are quite simple. Governments could hire a University to put together the required hardware, device drivers and source code. All of which could be completely open source. It would neither be overly expensive nor complex.

        ...and would have the same level of quality of any University sophomore software project...which means it would be a highly-coupled, badly encapsulated mish-mosh of spaghetti code that would make any APL program a model of clarity in comparison.

        No, something like this, I'd rather leave to the pros.

  6. Adam 1

    > Preferential voting means that once a candidate reaches a quota, their votes pass to a voter's second preference

    Kind of. The second preference of all voters for that candidate is considered, but transferred votes have a lower weighting.

    (Votes for candidate minus quota) divided by votes per candidate.

    Once transferred, the last place is eliminated (transferring) until all positions are filled.

  7. -tim

    The law is the law and ignoring that doesn't help.

    While I respect Tridge for his work on software, my discussions with him about intellectual property seem to indicate that he is as extreme as the Free Software Foundation but with a huge amount of head in the sand attitude about ignoring trends in current and future copyright and patent law. Because of the lack of patent pending on rsync, there are now a large number of patents of related technology that will have long term negative effect with rsync getting better. Samba is making use of a number of Microsoft patents but so far Microsoft has decided that Samba is useful so they haven't stopped it. Much of this would be fixed if the open source groups would file patent applications (with maybe thousands of claims) once a year and then not follow through with the full patent protection to reduce costs. That would provide the patent offices with a full proof of prior art in a way that they can deny other patents and the open source people won't get nailed for using their own intellectual property. People need to understand that patent offices can't use tools like google to find existing prior art, they can only use public resources they have access to that won't revel new technology to possible competitors. That effectively means they use their own patent pending databases.

    1. Anonymous Coward
      Anonymous Coward

      Re: The law is the law and ignoring that doesn't help.

      MS was forced to open a lot of its protocols for interoperability due to EU ruling (see http://ec.europa.eu/competition/sectors/ICT/microsoft/implementation.html, for example).

      The Samba project greatly benefitted from it - but its attitude about "free sotware" can be easily seen from the fact it promptly switched to GPLv3 (which incidentally caused Apple to drop it from OSX).

      Maybe they should have spent their efforts in making it scale better, instead of changing source headers...

      1. Jeremy Allison

        GPLv3 is more business friendly

        See here:

        https://www.fsf.org/blogs/licensing/jeremy-allison-on-why-samba-switched-to-gplv3

        for details. Apple are religious zealots about patenting software. Nothing we can do about that. All other vendors had no problems with it.

      2. Jeremy Allison

        Scaling

        Forgot to address the comment about "Maybe they should have spent their efforts in making it scale better.."

        I don't think you have any idea about how much effort we put into making Samba scale, to the point of counting instructions using cachgrind and modifying core algorithms to improve scalability. We have one Samba Team member (Volker) who does this to the point of obsessiveness. I love him for it :-).

        Haven't you heard, the pendulum has swung back again, and being in user-space is the new, new hotness - again (see the other recent article on IP-in-userspace performance improvements :-).

    2. Andy Davies

      Re: The law is the law and ignoring that doesn't help.

      Software per se is not patentable - and should not be (it represents a mathematical or logical idea - there should be no legal controls over ideas!).

      afaik this is [still] the case in the EU

      1. Anonymous Coward
        Anonymous Coward

        Re: The law is the law and ignoring that doesn't help.

        But software concepts like algorithms (which are abstract) can represent unique and novel techniques that can be put to practical use (say, in a chip, thus existing in physical form). And you can't copyright an algorithm because copyright cannot protect against a clean-room copycat (like the Compaq clone of the IBM BIOS).

        And yes, you usually need a motivation for invention or people usually won't follow through. That's why patents took their modern form.

    3. Anonymous Coward
      Anonymous Coward

      @-tim Re: The law is the law and ignoring that doesn't help.

      I have upvoted your comment. Not because I agree with your ideas, but because you:

      * do raise a valid and interesting point,

      * suggest a possible solution,

      * appear to be suitably informed about the subject, and

      * expose it in a sober and respectful manner.

      I may disagree with your specific solution (wouldn't patent law reform be a better remedy?), but I really appreciated your comment. I wish more people would take the trouble to write good comments such as yours.

      1. -tim
        FAIL

        Re: @-tim The law is the law and ignoring that doesn't help.

        Thanks, A.C.

        I may be wrong, but I don't see a better option. I know there are people who think patent reform is a better option but I have a book that I rent out to break patents on stupidly obvious things. I know more patent lawyers than I know people with patents and I know more developers that have been talken to court than I know software patent owners. Something is broken and putting your head in the sand isn't a solution.

  8. Anonymous Coward
    Anonymous Coward

    Bit of an unfair shoeing for this Tridge chap. Yes, the company makes money, yes releasing the open source -even on a limited basis- would increase the possibility of piracy. The questions were a bit loaded, I feel.

    However.

    Pirates don't necessarily need to see code in order to pirate a thing. And IMO voting software that isn't available for even limited expert scrutiny to prove that it's doing it's thing correctly is valueless anyway.

    1. Charles 9

      The problem is that voting software is valueless even with open source because the machine can just be subverted elsewhere.

      1. Anonymous Coward
        Anonymous Coward

        The machine should be probed with different inputs (all unknown beforehand to the machine), only one of which is the real one, the others being test suites with known outputs.

        1. Charles 9

          "The machine should be probed with different inputs (all unknown beforehand to the machine), only one of which is the real one, the others being test suites with known outputs."

          Still, designed carefully, a secret subversion system may only be reachable by an intricate series of inputs (like a knocking or multiple ping-pong system) such that the odds of hitting it by chance are infinitesimally small. In every other case, it will work as designed...until that once-in-a-billion-plus input.

      2. The Mole

        You could also say human counters are valueless as they can make mistakes and be subverted.

        In reality they both can have their place. The voting system needs to have a proper secure paper audit trail than can be manually verified by hand. Against an attacker attempting to subvert the election result then polling machines could theoretically be subverted, however an attacker of that kind can also subvert human counters, fake postal votes and generally get their own way, having a paper audit trail (done properly) which can be verified helps protect against this case. Voting machines can however ensure that counts are done quicker (not that I understand the obsession on speed) but also more accurately, if in doubt look at how often paper recounts occour and how often they produce different results even in first past the post. When you have multiple layers of rounds and complicated vote allocation systems these mistakes are far more likely to occur and the odds are a properly tested and vetted machine is more likely to get it correct.

        Of course the machines should be properly tested and vetted by independent experts, and at the minimum the test cases and results being freely accessed and reviewed with a mechanism for test cases to be challenged and additional tests to be proposed.

        1. Anonymous Coward
          Anonymous Coward

          It's an intractable tradeoff. A human count can be overseen, but as you noted, you can bribe overseers and overseer overseers ad nauseum, and in a national-scope election, someone with state-level resources could come into play. OTOH, a machine count can be subtly subverted beyond the scope of human senses. Heck, they may even come up with ways to corrupt the audit trails.

          PS. The need for speed is so as to get the result in a timely manner, which can be important for parliamentary elections because there is no legislative activity possible between the dissolution of the old parliament and the forming of the new one.

          1. Pompous Git Silver badge

            The need for speed is so as to get the result in a timely manner, which can be important for parliamentary elections because there is no legislative activity possible between the dissolution of the old parliament and the forming of the new one.

            The hiatus also means that the pollies aren't fucking things up for the rest of us ;-)

  9. John Robson Silver badge

    Complex? It's an STV election...

    Is it just me that doesn't think that this is a complex scenario?

    I could design a ballot paper that would be human readable, and therefore easily verifiable, as well as machine readable, and therefore able to be loaded to the dB quickly.

    It's not a complex problem to solve - although I'm not quite sure I understand the concept of using a lower choice vote for people who have voted for an already "Quota'd" candidate... Whose votes do you use - or do you use them all pro rated to the "excess votes" of the primary candidate.

    So if I vote for someone popular I get 1 and a bit votes?

    1. Charles 9

      Re: Complex? It's an STV election...

      The trick is not the ballot itself, it's making sure the ballot isn't changed, switched, or removed after the vote is cast as well as making sure no additional "stuffed" ballots are inserted into the process. The reason for a move to machines is to find a system such that any given vote is counted once, only once, never changes, and can be proven to be all three. Having a machine reading the votes provides an alternate set of eyes that requires a different kind of technique to subvert than bribing vote counters (and once a person is found to be a vote counter, that person could be persuaded or coerced). Also, a system that leaves a receipt to the voter provides a way for the voters themselves (if they wish) to triple-check the results outside the scope of the election machine.

      1. John Robson Silver badge

        Re: Complex? It's an STV election...

        Hence the paper element of the ballot.

        The paper ballots can be read rather quickly by the machine, and then passed on to the human team, who can confirm the ballot over the course of the next couple of days.

        There are existing mechanisms to prevent ballot box stuffing, and the ability of the machines to highlight "unusual" ballot patterns could be of interest here...

        In general we are very good at looking after liitle bits of paper - and understand the security of physical objects quite well, whereas in the digital domain it's very much less well understood (and therefore less well trusted) by the vast majority of people.

    2. Lars Silver badge
      Happy

      Re: Complex? It's an STV election...

      "I could design a ballot paper that would be human readable, and therefore easily verifiable, as well as machine readable, and therefore able to be loaded to the dB quickly.".

      Not punch cards. Sorry, but I had to get this off my chest.

      1. John Robson Silver badge

        Re: Complex? It's an STV election...

        I was actually going for paper and pencil...

        1. Pompous Git Silver badge

          Re: Complex? It's an STV election...

          I was actually going for paper and pencil...

          Which generates a remarkable amount of horse trading between scrutineers as to what counts as a valid vote and what doesn't. Usually quite civilised banter I might add. It's clear to me that most commentards in this thread have never scrutineered. No machine could replace a dedicated, experienced scrutineer determined to garner the most possible votes favourable to the party he/she represents.

  10. druck Silver badge
    Flame

    First past the post

    If the voting system is so complex you need software (open or closed source) in order to count it, it isn't for for purpose.

    Whatever you say about first pas the post, everyone can understand the concept of who got the most votes wins.

    1. Charles 9

      Re: First past the post

      But sometimes, simple isn't the best solution. Consider this. The US has been pretty much stuck at two parties for the better part of two centuries (the parties shift here and there, but third parties usually don't last long as a major political player in the US). It's a natural consequence of a winner-take-all system like first past the post: it causes political affiliations, and everything that goes with them, to polarize to maximuze the potential to be the winner. The differences grow over time to the point that he key element of politics, compromise, becomes less viable like the situation today.

      Say what you will of complexity, but some complexity can be considered necessary complexity in order to help protect the ability of outside voices to have a say.

    2. Anonymous Coward
      Anonymous Coward

      Re: First past the post

      "Whatever you say about first pas the post, everyone can understand the concept of who got the most votes wins."

      People are often miffed when that apparently simple system usually turns out to be less than fair.

      An unpopular candidate can win in a constituency with about 30% of the total constituency votes cast. The remaining 70% of votes could be split between several candidates who share similar, popular manifestos

      A party can win an overall majority of seats in Parliament with only about 30% of the total national votes cast.

      A party can form the government with an overall majority of seats - even though they received less national votes than another party.

      Two parties with the same number of votes nationally can receive very different numbers of seats. One of them could even get no seats - while the other's seats are in double/treble figures.

      Most voters are effectively disenfranchised by the FPTP system - as their vote will not make any impact on their local constituency's outcome.

      1. Anonymous Coward
        Anonymous Coward

        Re: First past the post

        "[...] received less national votes [...]"

        Mea culpa. "[...] received lessfewer national votes [...]"

      2. Alan Brown Silver badge

        Re: First past the post

        "A party can form the government with an overall majority of seats - even though they received less national votes than another party."

        _This_ was precisely the driver for New Zealand to change away from FPP, although it took 20 years from the event to the change. Opposition parties would put it on their manifesto and then ditch the promise as soon as they got power.

        The beneficiaries of FPP are the incumbents. It's not in their interest to agree to support anything else as it will result in their power based being diluted.

    3. Adam 1

      Re: First past the post

      FPTP also means that two similar candidates may split each other's votes thus leaving the victor to be someone who represents less of the electorate.

      Imagine a conservative, a libertarian and a communist running for a seat. If the vote went 37, 23, 40 respectively, that would leave the communist as the winner in a FPTP count even though a libertarian is unlikely to favour a centralised control party over a conservative party.

      Don't get me wrong, the senate does have problems in voting but this is because above the line allows backroom deals and the ridiculous number of candidates makes it too hard to actually rank them properly on the paper. My solution would be to scrap above the line but to force them to number 1 to 12 on full senate elections and 1 to 6 on half senate elections (with the option to keep numbering as far as you can be bothered)

    4. Pompous Git Silver badge

      Re: First past the post

      Ignorance... Read up on Hare/Clark an even more complicated system than is used in Australian Federal elections. Apart from Ireland, only Tasmania uses it AFAICT. It works to enable minor parties and independents to gain representation in parliament, much to the disgust of Tweedle Dumb and Tweedle Dumber...

      1. Concrete Gannet

        Re: First past the post

        Used in Australian Capital Territory too

  11. Whiskers

    Don't rely on just one system

    Where computers are used in critical situations, shouldn't it be standard practice to use at least three independent systems (different hardware and different software) to process all the data and then compare results?

    A human count of the ballots could be one of the independent systems relied on. I appreciate that this means a delay while the count happens, but how important is speed? Once elected, governments tend to last for years so a delay of a few days isn't significant.

    If the prospect of there being no politicians in government for a few days is intolerable then let the change from old to new take place after the election results are confirmed.

    1. Charles 9

      Re: Don't rely on just one system

      Trouble with your ideas:

      Sometimes an election doesn't result in a goverment. With no outright majority and no coalition to take it over the line, you have to try again, which leads to the other problem.

      Waiting for a new government to form before dissolving the old one can put a bias towards the incumbent to keep a rival government from forming, corrupting the system.

      And meanwhile, what if some urgency occurs between governments? Even with a fallback, some could be banking on the fallback.

  12. GBE

    Tridge was his witness?

    I thought rule number one for lawyers was never ask your witness a question if you don't know what he's going to answer?

    Could this Cordover guy really be that incompetent?

  13. Stevie

    Bah!

    The description in the article of how the votes transfer with respect to making/not making quota must be a misprint because in its current form it matches the typical database programmer's grasp of exception handling: Issue command, test return status, carry on regardless. In this case it is Test to see whether votes meet "quota" spec, then do the same thing whatever the answer.

    I guess this is a variant of STV as deployed in my old Alma Tomata the University of Controversial Climate Debate E-Mails. In my defense we still thought Glomar Challenger was scooping the seabed for Manganese nodules in them days rather than other people's crashed nuclear submarines. They were kinder times, when people got information from big buildings filled with "books", long before some idiot invented the internet and Facebook and the never-to-be-sufficiently-damned e-mail.

    Where was I? Oh yes, Australia's (presumably) STV counting software.

    I'm surprised *anyone* could make money off software to do the counts since I can envisage the Perl script needed as I type and I'm a piss-poor Perl programmer. I dunno if Perl could handle the sheer size of the counts offhand, but the idea would be sound in any language and I know at least one company's Cobol has a datatype that would suit.

    This would seem to be a job so trivial Bob the Teaboy could do it, and I wouldn't mind betting that's who actually did given the results (anecdotally) reported.

  14. Flat Phillip

    Voting machines

    You do realise that in Australia there are essentially voting machines now? All the bits of paper get counted and then the numbers are sent to a central site and put into a computer, which then does things like send it to the media, update the website and ultimately give the results.

    Sure, for simple cases you could pick up fraud, e.g. Voting booth A at electorate B voted 75% Party C, but the scrutineers with their samping might see it only 25% so it looks sus. For more subtle changes its harder, but for the lower house its the edge-cases that get more checks.

    For senate (and the story was about the senate voting), good luck with that! There is in theory a 1:1 relationship between the number of bits of paper seen and the numbers that go into the computer but after that it gets hard real quick, especially when you get to the later preferences when the usual suspects have their quotas.

    That's not to say I think AEC is fiddling the books, quite the opposite. I'm just pointing out there have been computers involved for quite some time.

    The bigger problem is disenfranchising public from the senate voting because it's almost impossible for normal humans to vote how they want in the senate. Not really an IT problem though voting machines might help with the "tablecloth" but a change how the senate is elected would certainly help.

  15. jdoe.700101

    Wrong FOI request

    Surely Michael Cordover should have been asking for public access to the raw data, so that he (or anyone else) could then independently tally results.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like