Thursday, 18 December 2003. __________ The Joint Committee met at 10.38 a.m.
__________ MEMBERS PRESENT:
Deputy B. Allen,
Senator Senator C. Brady,
Deputy J. Cregan,
Senator M. Brennan,
Deputy C. Cuffe,*
Senator J. Dardis,+
Deputy M. Fox,*
Senator J. Phelan.*
Deputy E. Gilmore,
Deputy N. Grealish,
Deputy S. Haughey,
Deputy B. Kelleher,
Deputy P. McCormack,
Deputy J. Moloney,
Deputy M. Moynihan.+
*In the absence of Deputies T. Sargent and J. Healy-Rae and Senator J. Bannon,
+In the absence of Deputy S. Haughey and Senator C. Brady, respectively, for part of meeting .
In attendance: Deputies J. Brady and A. Morgan.
DEPUTY S. POWER IN THE CHAIR.
Business of Joint Committee. Chairman: I propose that we go into private session following our question and answer session on electronic voting to decide what course of action we should take. Is that agreed? Agreed.
Electronic Voting: Presentation. Chairman: We now come to the substantive part of today's agenda, namely, the discussion on electronic voting. I welcome the witnesses to the meeting, including the Secretary General from the Department of the Environment, Heritage and Local Government, Mr. Niall Callan and his officials. They are accompanied by representatives of the different companies involved in the introduction of electronic voting, namely, Groenendaal, Nedap and Nathean Technologies. I also welcome Mr. Joe McCarthy, who has forwarded a report to the committee outlining his concerns on this matter; Ms Margaret McGaley and Mr. Robert Coughlan who met with the committee last week and have agreed to meet with us again.
Last week's meeting highlighted a number of concerns. We will hear short presentations from the Secretary General and Mr. McCarthy, neither of whom addressed the committee last week, before concentrating on a question and answer session between members and witnesses.
I remind witnesses that while members of the committee have absolute privilege, this does not apply to witnesses appearing before the committee. Members are reminded of the long-standing parliamentary practice where members should not comment on, criticise or make charges against a person outside the Houses, or an official by name or in such a way as to make him or her identifiable.
Mr. Niall Callan:I thank the committee for the opportunity to meet with it and discuss the issue of electronic voting. I am accompanied by Mr. Tom Corcoran, head of the local government and franchise division, and Mr. Peter Greene, head of the franchise section.
As requested by the committee, the Department is pleased to bring to the meeting some of the key experts involved in the development and testing of the Nedap-Powervote system for Irish election purposes. I would like to introduce Jan Groenendaal, managing director of Groenendaal BV, the systems and software developers; John Pugh, chief technical officer, Nathean Technologies, the Irish firm that has undertaken the architectural and code reviews of the software system; and Henk Steentjes, chief technical officer of Nedap, the Dutch company that manufactures the voting machines. We have other experts in reserve such as Joe Wadsworth of the Electoral Reform Society, based in Britain, who has undertaken testing of the counting functions and is also available to speak to the committee.
Before placing these experts at the committee's disposal, I would like to make some brief general comments to bridge between the Minister's presentation and the discussions with the committee on 25 November 2003 and today's session. In line with the 2001 legislation enabling electronic voting, the Department has been working hard to implement the mandate from Government to develop an electronic management system for Irish elections. The fundamental purpose of the initiative is to improve the efficiency, speed, accuracy and user-friendliness of Irish elections and to eliminate the democratic wastage associated with spoilt votes. More than 20,000 spoiled votes were registered at the 2002 general election, equivalent to 1.1% of all votes cast.
It is about more than just improving the technology. Modernising and transforming elections in a visible way will tackle voter apathy and improve the image of elections, especially for an increasingly younger electorate. The Department's mandate was to complete this change process as quickly as possible. This presents many challenges for us and our partners in the process. However, in the Government's thinking, it secures earlier delivery and availability to the people of the benefits of electronic voting. Given the cycle of the various elections, the alternative would be to delay these benefits for several more years. This approach made it important for the Department to procure an electronic voting system of proven and robust performance. We did not consider it sensible to pursue a policy of designing and developing an entirely new system.
In the event, the procurement process identified Nedap-Powervote as the best system to apply to Irish elections. This system came with its own proprietary hardware and software. The count function is not based on a PC and I will raise this important issue later. More important, the Nedap-Powervote system enjoys the proven advantage of widespread and successful use at national and local elections in the Netherlands over many years and it has been more recently employed in some German municipal elections. This successful operation in practice, in some of the most sophisticated societies in the world, is the most worthwhile possible test of reliability.
The new voting system was extensively piloted at the 2002 general election and the second Nice referendum, in which more than 270,000 voters used the system. The reaction of users has been overwhelmingly positive. Neither has any candidate or voter in the constituencies covered by electronic voting raised questions about the fairness or integrity of the process or made a significant complaint or challenge to the Department. All best technologies embrace the principle of continuous improvement. The Department and its partners are committed to the continuous improvement of the electronic voting system. We are working on changes for the presentation of results; we have modified the voting machines to make them more user friendly and accessible, and we have subjected, and continue to do so, the system software and hardware to rigorous testing by a range of independent agencies.
The Department will pursue this approach of continuous improvement between now and June 2004 and beyond that. We do not see this as any admission of weakness. The electronic voting system already meets high and satisfactory standards of performance. However, best practice means that we should not rest on our laurels and that we should add to margins of safety and reliability.
Coinciding with the transition to full use countrywide of electronic voting, concerns have been more explicitly raised about the security and verifiability of the system. We want to deal fully with these concerns today. My expert colleagues will explain various aspects of the system validation with which they have been involved. I will comment on a more general level on some key issues. The argument is now being made that the electronic system is not adequately validated in terms of its ability to store and count votes securely and that a separate paper record needs to be created to provide this validation. The Department does not accept these arguments. The independent testing of the system fully addresses the issue of the machine responding accurately to and storing touch-button commands. The counting function has been rigorously tested. The machine is programmed to shut down instantly in the unlikely event of any error being detected. The system is also designed to provide a full record of all individual votes cast following the election.
The idea that an electronic system can be well validated by a paper receipting process is highly problematic and creates many practical difficulties. It involves a dual system in which constant confusion will obtain as to whether the electronic data or the paper trail represents the validly cast vote. It is also dependent on the perfect functioning of a printer. For these and other reasons, only a very small minority of electronic voting systems worldwide have incorporated a paper receipting function.
Issues have also been raised by the committee about making the source code for the election management system generally available. The Department's primary concern at this stage is to guarantee and deliver to the public a system that is reliable and trustworthy. From this perspective, whether to make available the source code to third parties is a secondary issue. The Department will not be in a position to consider acquiring full rights to the code until October 2004 when the system, including a module to cover the presidential election, will have been fully completed. The Minister has said that at that stage he will address all issues regarding the public interest in permitting wider access to the source code. We understand that different views on this matter have already been expressed to the committee.
We should not forget the considerable imperfections of the old paper ballot system. This typically wasted more than 1 % of votes cast through spoilt votes and more than that at multiple polls such as the one planned for June 2004. Therefore, the feeling of assurance and validation which some claim for the paper ballot process was illusory, for some voters at least. The manual count was also subject to errors and risks. For all these reasons the Department is confident that the electronic system will provide an easier, quicker, more accessible and more accurate voting system. Our experts will be available to clarify other issues for the committee.
Chairman: I thank the Secretary General. As there is a vote in the Dáil Chamber we must leave in three or four minutes, but Mr. McCarthy might introduce himself in the meantime.
Mr. Joe McCarthy: For the past 17 years I have had an interest in elections, but I have been a computer professional for the past 30 years or more. I used to work for IBM and now I run my own network consulting company. I have professional qualifications which allow me to speak on matters of IT and practical experience which allows me to speak on matters relating to vote counting - I have been an agent or sub-agent at every election, general and local, since 1987. I set about trying to find out about electronic voting in October 2002 by seeking information from the Department under the Freedom of Information Act and after quite some time I received some of the material I have in front of me, on which I am basing my opinion. I do not have full knowledge of the system - in particular, I do not have access to the technical documentation or the source codes.
I have 40 questions to put forward, some of which are very technical and may be beyond the compass of most of the members present but should be answered by the technical experts. Some are quite unusual and esoteric - one of them deals with cosmic rays. The computer systems to be used for electronic voting are subject to the influence of cosmic rays once a day on average, taking into account the number of machines. Good practice would result in good management of these matters, which seems to be the case for the Nedap machine but not for the counting machine. There are also various roles, to which I must draw the attention of the members, for us as part of our responsibility for this system. I will identify five major issues.
Sitting suspended at 10.55 a.m. and resumed at 11.41 a.m. Chairman: We will resume our business. I am sorry for the delay, but there were a number of votes. The Clerk to the Committee said there were no rows in our absence, so the spirit of goodwill prevails. We will allow Mr. McCarthy continue with his presentation.
Mr. McCarthy: I emphasise that the views I express are my own. I am not a member of a political party or of any lobby group. I have developed these opinions from the materials I was able to retrieve from the Department.
A list has been circulated of some 40 questions that I would wish to have addressed. I will mention the various roles of the citizens of Ireland. The people own the Constitution and have set up these institutions through the Oireachtas. The Minister and his Department implement the legislation. On the ground, the returning officers and presiding officers in the polling stations conduct the elections formally and statutorily. That has been the case since the State was established. We are now about to move to a new set of equipment and software where the roles are extended to the hardware and software manufacturers. There are issues surrounding hardware. The software developer is of particular note where the statutory count rules are implemented. Then come the testers and reviewers and to some extent certifiers. As we will see, the certification process is a little weak.
I have noted these points in the material supplied, showing that the Constitution and the electoral Acts are formal. We have to abide by them. They produce statutory rules which originally were solely in the hands of the returning officers but which will now be in the hands of voting machinery which is designed according to a specification issued by the Department, principally called the Count Rules and Commentary, a single document. This has been modified as this development has gone on. The voting machine and software are developed by Nedap in Holland, and the IES count PC is, as I understand it, subject to Mr. Callan's comments that it might be different, a normal PC, running specialised software developed by Groenendaal. My concerns are: who owns these various roles and who is allowed to change them, and under what control? Who designs them, tests them and operates them? There are quite a few new roles defined here which I would like to illustrate. The names in yellow boxes on the document supplied are those of the various owners, as I understand it. The Department owns the Count Roles and Commentary.
Owning is an interesting concept. The machinery is owned in due course by the returning officer, but the design is owned by Nedap, as is the software in the case of the voting machine. It is surveyed and certified by Kema, TNO and PTB, two of which companies are in Holland, I think, and one in Germany. On the software side, the Groenendaal Bureau writes the software we are most concerned about here. It is tested in a black box manner by the Electoral Reform Society in the UK. It is code-reviewed, but not tested, by Nathean Technologies in Dublin. We therefore have four Dutch companies, one German, two UK companies and a single Irish company assisting us in implementing the statutory rules necessary to run elections in Ireland.
The issues I am most concerned with are the documentation and testing. In my request to the Department I sought the systems design specification for the counting system. That was my original request. It was all I focused on because I am familiar with counting. I like the counting process and I understand it very well. Part 19 of the Electoral Act 1992 is engraved in my mind because I have had need to argue it from time to time with returning officers and fellow agents. It will be implemented in software, something with which I am very familiar. I wanted to see the test plan and the design plan. The Department responded quite correctly that it did not have that documentation. It still has not got it, after five requests under the Freedom of Information Act, two internal reviews and one appeal to the Information Commissioner. The principal reason the Department has not got the essential documentation is that it has not got a contract with the provider, and therefore section 6(9) of the Freedom of Information Act, which would allow it to retrieve those records, is not operative. I have appealed this to the Information Commissioner and the appeal continues. I submitted the appeal on 22 April but a decision has not yet been given.
There are other technical issues involving this system, in particular the use of the Microsoft Access database to hold the votes. Nobody in his or her right mind uses Microsoft Access for a critical system, and I will show formal opinion from Microsoft to that effect. We are concerned about the integrity of the vote. This matter has exercised us all. How can we ensure that the vote is safe? Typically in modern systems, whether they are gambling, financial or voting systems, we should provide for the integrity of each record with a MAC - a message authentication code - such as is used universally in systems in Dublin for e-top up vouchers, ATM withdrawals and for national lottery wagering transactions.
I mentioned cosmic rays. These are an interesting natural phenomenon that cause errors in large populations of computers. It is a verifiable condition, well understood in the literature. The best example here is a Counting PC in Schaerbeek in Belgium, which on 18 May this year credited one candidate with more votes than on his party's list - an impossibility. The votes were counted next day and it was discovered that the candidate had 4,096 votes too many. This count was formally done by the manufacturers, the Ministry of the Interior and the president of the canton. The conclusion was that a cosmic ray had flipped a bit and caused the extra votes. Such things happen and we must take them into account. To be fair, the Nedap design has taken it into account very well, but there is no evidence that it has been taken into account in the counting system.
As power failures occur all the time, there is considerable evidence in the material I have looked at that power failures are beginning to exercise the technologists in the Department as to what happens between the moment the yellow vote button is pressed and one's voting preferences move through the machinery before landing in the memory. That takes a few hundred milli-seconds, and things happen as the power fails. It is a very interesting exercise to figure out where the ballot is during that process. We need the integrity of the machine to handle that.
Those are the major issues I am worried about. My professional concerns revolving around the development of the environment are that the software in use is being re-released every three weeks. We have had 40 releases since January of last year. The releases being tested by ERS are already out of date. I do not know which particular release Nathean has most recently reviewed. It last reviewed version No. 111 and the draft report for that was refused to me. I appealed the decision and the deciding officer said I could have it on 31 December 2003. I have not got it yet, so I am in a position of some ignorance. I will be delighted to stand corrected by the Department and its officials on my lack of knowledge. I am suffering from a severe lack of knowledge regarding this matter. Yesterday I spent three hours reviewing Department files and it seems from the information I read that ERS has not tested the European ballot module. There is no evidence that it has tested the European vote, a very large vote, with 400,000 or 500,000 votes in each count. That is a heavy-duty load on a PC. It may be more than the ERS testing system can handle. I do not know. There is no evidence.
Up to a couple of days ago, Dutch code and messages were still being produced by the system. That is a serious concern for the understanding that we might have of the Dutch code being written by Groenendaal.
There is a major concern about how the returning officers will run these complex systems. They will need IT support, and concern has been expressed about how the officers will do the work. They primarily work in county court houses and elsewhere around the country where the PCs are on LANs. They might put the software on the LANs and the software might leak. That and other matters are of concern to the Department but I cannot see the formal solution.
Mr. Callan referred to the most worrying issue. The continuous improvement that he suggests is not evident to me in that currently it has not yet been proven to work in the first instance, before any improvement. The timetable which Groenendaal had hoped to meet, was that the software would be developed by the end of April for testing in May and June by ERS and reviewed by Nathean. That has not happened, however. It is still in test as of a couple of weeks ago. It may have finished in the past few days, but as of a couple of weeks ago, ERS was still testing it - six months afterwards. I do not like the fact that there is no formal Chinese wall between the developers and the testers. The representatives of the testers in the UK were sending change requests directly to the developers, who were implementing the changes and there is evidence in the files that the project manager in the Department of the Environment, Heritage and Local Government is attempting to corral these frequent changes so that he will have a stable position to offer to Nathean for its review. In other words, changes are happening willy-nilly.
My concern is whether or not this is a safe system. In my professional opinion it is not. The other query I have is: who decides whether it is or not? It is the committee's role to adjudicate on this as the representatives of the Oireachtas and then tell the Department of the Environment, Heritage and Local Government how formal procedures are to be put in place to do the testing and the checking. There is no evidence of any formality in the procedures. The question as to who decides our votes and who decides the system that will count our votes rests with the committee.
Deputy McCormack:Inadvertently or otherwise the committee has started on the process of examining this system and attempting to reach a conclusion on that. Therefore, a major responsibility will rest on this committee if, God forbid, anything goes wrong with the system. Just to clarify the position, I would like to know at this stage whether we are closing the gate after the horse has bolted. Has the contract for the system been awarded? It would be useful for us to know that because it might have an influence on matters down the line. The committee is not on a witch-hunt. Members are anxious to be able to say with confidence to the general public that this system is the way to go. It is difficult for professional people such as the witnesses before the committee today to have the concept of how little confidence the general public has in anything that is politically driven. I am not referring to any political party. It is only as a practising politician that one fully realises the level of distrust among the general public towards anything politicians do. I will not go into the causes for that, but they are obvious. Therefore, we have a difficult task in convincing the public that our decision is the right one.
Mr. Callan said only a small minority, worldwide, has the paper trail. That means the paper trail is possible if a small minority, whatever it is, has a paper trail. There would be much more confidence in the ability to check this system if there was a paper trail. Why cannot we have a paper trail so that it would boost our confidence in the end result, rather than having any doubt over it?
Finally, and this is not clear to me - and I asked about it the last day also - up to now the voting system provided for presiding officers and poll clerks in each polling station. Some of those were elderly ladies and gentlemen. Given the high levels of employment it was often difficult for returning officers to get presiding officers and poll clerks. Will they be replaced by people with different qualifications? Will the presiding officer be a person responsible in the polling booth all the time for voting on the day, whether by electronic or manual means? Is a new type of person to be recruited nationwide to be a presiding officer and a new type of person to be a poll clerk, because in the latter case someone will have to record the people who have voted? How are those people to be trained in the new technology? What happens if there is a breakdown in the technology and the presiding officer cannot correct it because of his lack of technical knowledge and an expert has to be called in? Who will decide what that expert is doing when he or she is attending to the breakdown? It is too vague to say: "Let us carry on as we are." At the last committee meeting members asked that all negotiations about contracts should be stalled before we come to a conclusion. I am anxious to know where the matter now stands. Perhaps I can put some other technical questions afterwards for others.