We continue where we left off in part 1 of this article looking at the problems found by researchers when analyzing these systems and at how the various election organizers handled the researchers'' reports:
India, like Brazil, uses DRE voting machine without VVPAT. The Indian Electoral Commission decided the introduction of a VVPAT system but the use of the upgraded voting machines is still limited, so, for all intents and purposes, it can not be said that, as a whole, the Indian electronic voting system has VVPAT yet.
The lack of a VVPAT system is just the tip of the iceberg when it comes to the problems of the Indian electronic voting system. The DRE voting machines have been proven to be easy to compromise by a team of researchers from the University of Michigan, led by J. Alex Halderman, Netindia, (P) Ltd., Hyderabad, led by Hari K. Prasad and the Dutch hacker Rop Gonggrijp. This group of researchers published multiple papers on the lack of security of the Indian electronic voting machines.
Moreover, the new remote Internet voting trial from Gujarat has been done using Scytl remote Internet voting machines. If you would recall the manufacturer of the iVote system from New South Wales in Australia, it is the same company: Scytl. Given that it is extremely unlikely that Scytl provided completely different machines to Gujarat than it did to New South Wales, it is safe to assume that the Scytl voting machines used in Gujarat are just as vulnerable as the ones used in New South Wales.
Ireland ran a trial using electronic voting machines in 2002. The machines were DRE voting machines without VVPAT from Nedap, similar to the ones used in Germany. In 2006, a Dutch group of hackers associated with the “Wij vertrouwen stemcomputers niet” group from the Netherlands and led by Rop Gonggrijp demonstrated how these voting machines can be compromised. Ireland officially announced the scrapping of the electronic voting system in 2009.
At the time of the scandal surrounding voting machines used in the 2006 general elections, most of the voting machines used in the Netherlands were Nedap DRE voting machines without VVPAT. As mentioned earlier in the case of Germany and Ireland, in 2006 Dutch group of hackers associated with the “Wij vertrouwen stemcomputers niet” group (which means "We do not trust voting machines" in Dutch) from the Netherlands and led by Rop Gonggrijp demonstrated how these voting machines can be easily compromised. As a result of that, the Dutch have stopped using electronic voting in 2007.
Norway has ran a series of trials using a remote Internet voting system starting from 2008. In 2014, Norway decided to put an end to the electronic voting experiments. The most salient point of the report published at the end of the trial are that Internet voting does not increase voter turnout. This finding is echoed in the Canadian Internet Voting report from British Columbia.
The Norwegian Internet voting trials were run using remote Internet voting machines from Scytl. The Carter Center released in 2014 a report called Internet Voting Pilot: Norway’s 2013 Parliamentary Elections in which the Internet voting system used in the 2013 was analyzed. The report clearly states that it was not intended to draw any conclusions from the study. However, issues like end-to-end verifiability, integrity versus secrecy and the various implementation problems that have been discovered are discussed.
As mentioned in the previous article, Sweden has not implemented an electronic voting system but only debated on this topic since more than a decade ago. Because of this, there is nothing to add to the discussion regarding the failures of electronic voting coming from Sweden.
Switzerland is using multiple electronic voting systems, due to the varying electoral legislations among the cantons. The three initial systems trialled in Geneva, Neuchâtel and Zurich form the foundation of the systems currently in use across the country. The source code of the systems is not available to the public.
The Three Case Studies from Switzerland: E-Voting study reports that one of the overall voter turnout increased only by 2% or less across the whole country. This mirrors the findings of the Canadian and Norwegian studies mentioned earlier. There have not been any security incidents yet but that is not conclusive proof of anything because, at the time this report was released, in 2009, the electronic voting systems were still very new and had seen relatively limited use.
In the UK, the Open Rights Group, UK's most important digital rights group, has been very active, very vocal and has been having a very firm stance against any method of electronic voting.
In the 2007 elections report, a whole litany of problems with the electronic voting systems is reported, starting from a lack of an audit trail in almost all the cases where DRE and remote Internet voting machines were used, servers that could not be audited, exploitable security vulnerabilities and, last but not least, serious usability problems for the voters in multiple voting colleges. The report is a veritable manual of “How not to run an election”.
The 2008 London elections report is just as troubling. In the 2008 London elections, just electronic counting was used, as opposed to the mosaic of electronic voting systems used during the 2007 elections. However, the outcome was a complete fiasco yet again: no actual transparency recording valid votes, no public access to the source code audit, the London Elects have commissioned only a partial code audit from KPMG and, claiming commercial confidentiality, they prevented the London Elects from publishing the results of the audit, inflexibility of the electronic counting system that prevented verification, as well as various bugs and freezes.
On top of all those problems, the cost of using the electronic counting system was 1.5 million GBP higher than what it would have been if manual counting were used. Moreover, that is 1.5 million out of the total 4.5 million GBP cost of the 2008 London election. That is a staggering 50% increase in cost for a demonstrably worse system and no benefit whatsoever.
Unfortunately, although electronic voting seems to be at least dormant, if not outright dead, at the national level in the UK, London insisted on electronic counting and used an electronic counting system for the 2012 elections despite all evidence to the contrary.
An analysis of the myriad electronic voting systems in use across the US and all their problems is beyond the scope of this article. We will have to stick to a very short list of honorable mentions. First, anybody even remotely interested in electronic voting should look up the infamous Diebold machines and the scandal(s) surrounding them. Then, the research on electronic voting being done at the University of Michigan under the leadership of J. Alex Halderman deserves a close look. We already mentioned his research on the topic of electronic voting security in Australia and India in this article. The coming article about the problems with the Estonian electronic voting system is based on a report in which he is one of the main researchers. His Securing Digital Democracy series of video lectures on Coursera are a good starting point for anybody willing to learn about electronic voting and the problems posed by it. Lecture 8.4: Washington, D.C. especially is a must watch.