Deputy Cuffe: My concern is that a few lines of computer code might wreak as much havoc as a shredder installed at the back of a counting station but would remain invisible, as we cannot see inside the box whereas we can see the paper ballots being sorted.
Deputy McCormack: Deputy Allen's question whether a PR contract was entered into was not answered. The response given was that no contract has been introduced since we made the request to the Minister. I would like to hear a reply to that. In a manual ballot many voters take the opportunity to spoil their vote. Has a voter got that opportunity with the electronic ballot? Some people spoil their votes deliberately. When it comes to a close vote and the scrutiny of votes, the majority of spoiled votes are because presiding officers fail to stamp the ballot paper. If some presiding officers are not fully capable of conducting their duties with a paper ballot, how will we ensure we have presiding officers fit to conduct their duties with the electronic system?
Deputy Gilmore: I have a few questions for the Secretary General. On the issue of a paper trail, he said there would be an issue of confusion as to which was the dominant record if we had both paper and electronic records. If legislation clarified this, would there still be a difficulty in providing a paper trail?
I was interested to hear the Secretary General talk about the study of spoiled votes. This is the first time I can recall this issue being analysed. I did not know there had been an analysis of spoiled votes. If the Department has done an analysis, it should be made available to us. It is possible, for example, that there may be a political conclusion or slant to the pattern of spoiled votes. The information and analysis on spoiled votes, which has led the Secretary General and his officials to the conclusion that the number of spoiled votes justifies the introduction of electronic voting, should be made available to us.
I understood from the Secretary General, that his difficulty in releasing the source code was that the Department does not currently own it. I presume the owners of the source code are represented here in this room. Will they make the source codes available?
Mr. Callan: With respect to what Ms McGaley said concerning the voter-verified audit trail, we do not believe that this is a predominant trend with regard to electronic voting. I stand by our thesis that most electronic voting systems have no truck with voter-verified audit trails on the basis that the most sensible way of validating an electronic system is through testing and quality proofing it so that the input signal produces the desired output. We can, as we move closer towards the elections - from next month on - simulate for the benefit of political parties or any other interested people if they so wish, exercises which will show that votes inputted and stored in the machine produce the same result as on paper. We will print the voting preferences in advance, keep the printed record, input the printed preferences and produce the machine print-out of what was inputted to show both input and output are the same. We are willing to develop and run such exercises if they are helpful to those who want to discuss the matter with us.
I will offer Mr. Groenendaal the opportunity to comment on the software as he is its developer.
Chairman: Please deal with the issue with regard to public relations.
Mr. Callan: I will, of course. As with the matter of ballot boxes, letters of intention have issued on the public relations contract but it has not finally been executed in a legal sense. We accept that a contract will be entered into but it has not been signed off on yet.
Mr. Jan Groenendaal: The international situation was mentioned. The concept of using voting machines is not so new. One of the principal aims in introducing the concept was to get rid of paper. The introduction of voting machines in the Netherlands years ago completely got rid of the paper trail, yet the people's confidence in the system is extremely high. Since 1984, every parliament was partly chosen by the use of voting machines using our software in polling stations. Their use has increased and is now at 95%. In Germany, and when Germans change to something new they do things thoroughly, the system as used in Holland is recognised in legislation for nation-wide elections - the European Parliament and the Bundestag. It is also recognised in seven of the 16 Bundeslander for all the regional and municipal elections. Approximately 100 communities there started to use this system in 1999, among them the town of Cologne with almost a million voters, which has had nine elections since. At the end of October France recognised in legislation the use of this system. I oppose the view that there is no trend to move away from a paper based system. There is broad acceptance of the existing electronic system, at least in western Europe. However, we must consider that there are about 200 million inhabitants. We have accumulated experience in Holland and have processed approximately 70 million votes in successive elections. We never lost a vote or had one petition against some irregularity or doubt. There are significant reports from independent institutes about the considerable confidence people in France, Germany and Holland have in the system.
Chairman: Mr. Groenendaal spoke about not losing a vote. How are faults detected? What happens if 100 people vote for Deputy Gilmore, for example, and ten out of every 100 votes cast for him go to Deputy Andrews because of a fault in the system?
Mr. Groenendaal: It can be detected by the so-called black books test, whereby one is sure that the machine one starts with performs as it should. A greater concern would be if 1,000 people voted at a polling station and only 900 votes were registered in the electronic books. We never had any failure of this kind and we have a memorable record.
Deputy Gilmore: When this committee last sat it was stated that there is no such thing as a 100% accurate computer system. Is Mr. Groenendaal's system 100% accurate? If 50,000 votes are cast in a constituency, will 50,000 votes be recorded and counted accurately?
Mr. Groenendaal: Yes. It is very easy because our system works as a complete one-to-one substitute for the existing procedure. We have a ballot box and the only difference is that it is an electronic device. It stores every image of a vote. Once polling ends, we have ballot boxes with their contents, which can then be counted. If the count goes wrong, we return to our ballot boxes, just as one would do in a paper-based system. One can carry out the count again on another independent computer.
I have a further point to make on the audit trail. The committee should not be under the illusion that a paper trail of each vote in a polling station will raise credibility. It can still be tampered with. Furthermore, once a paper trail is introduced, with a printer next to every voting machine, the probability that the machine will work all day without any disturbances will decrease dramatically. It is the cash register syndrome.
Everybody who talks of a paper trail should go to the NCR and ask how people in a supermarket on a Saturday afternoon, for example, react to numbers first appearing on a screen and then on paper. One does not check one's receipt immediately after purchasing goods in a supermarket. If a voter does not check immediately, the whole concept of the audit trail goes down the drain. One does not gain by adding a paper trail, and the purpose of the voting machine is to get rid of it.
Mr. Henk Steentjes: I can add to Mr. Groenendaal's point. As he stated, the machine is designed to work without a paper audit trail. The plea for a paper audit trail is heard in several states in the United States, where investigations have been conducted by all kinds of computer experts on the touch-screen voting systems that are used widely in that country. Most of the touch-screen voting systems are PC-based and have very vulnerable operating systems. Everyone is familiar with the blue screens of Microsoft in this regard. This is not the case in respect of our machine. We worked to address concerns such as those of this committee for over 32 years. The first voting machine we built was built 30 years ago according to a mechanical design.
The important thing about a voting machine is that it must work when required and must be dedicated to its task. Therefore, we built a machine based on proprietary hardware and firmware, i.e. embedded software. The machine cannot be bought elsewhere as we designed it specifically for its purpose. We carried out extensive worst-case calculations on it and we built all kinds of protection layers into the software and hardware to ensure secure and safe recording and storage of votes. The system has been designed well and tested by a top-ranking test institute, the Physikalisch-Technische Bundesanstalt. The Home Office in Germany directs this body and it is the only institute allowed to test voting machines that are to be operated on a nation-wide basis. The institute did a thorough test of the hardware, examined the design and carried out very thorough code and software inspections. These tests ensure the machine will store votes in the ballot box. We must be certain the machines being built are the same as the machines that have been tested. The machine the German institute tested is held in custody there and reference can always be made against that machine.
The embedded software, firmware, has checks that appear on screen when the machine is started. It checks that the correct software version is installed in the machine. The machine is not accessible from outside; new software cannot be installed and to do so, one must unscrew the cover and go deep into the electronics to change the circuits. This is difficult to do. Who will do this? The software is not available for purchase. By its design, the machine is difficult to tamper with.
Mr. McCarthy raised the question of electrostatic discharge. This was considered in the design. We conducted severe electromagnetic compatibility tests on the machine. For example, one thinks of the effects of electrostatic discharge in dry weather when one can get a shock when one touches a car door. This effect can disturb electronic equipment. Each voting machine we build is individually tested with 16 kv on several parts of the machine to ensure that it can withstand harsh environmental conditions, both in polling stations and in transportation to the stations.
By the nature of its design, the machine registers the vote and stores it in an electronic ballot box. Each individual vote is stored four times in individual memories so that if one fails, the others will still exist. Constant checks are carried out and each time a new vote is stored, all other votes are checked for validity. This is to help us check for errors. Mr. McCarthy referred to sequences that altered from zero to one. Something like this could not happen under our system as we do not totalise votes and then store them - each individual vote is stored and can be retrieved. The votes can be downloaded in any computer system that can read ballot modules. There will be a set of electronic votes similar to the physical ballot papers one would find in a ballot box. The votes are then processed and can be mixed in all kinds of ways in the count.
This is a system that can register votes in a secure and safe way. A top-ranking testing institute tests the system. When I headed for Ireland from Schiphol Airport, I boarded an aeroplane and placed my life in the hands of those operating the aircraft. I did not ask to see the source code used by the authorities or ask how it was tested. I trust Airbus, the manufacturer of the craft, and the FAA that certified the machine.
Deputy Allen: The problem is that aeroplanes sometimes crash.
Mr. Steentjes: Yes. This is part of the system. If we have 7,000 machines in operation, I can assure the committee that some will fail on election day. However, the votes stored will continue to be stored. The machine will be replaced and voting will continue and the ballot modules from both machines will be read. I invite the committee to fly with us.
Ms McGaley: The system is well developed and Mr. McCarthy also gives this impression. However, if one boards an aircraft and something goes wrong, one will know about it. We may never find out if something goes wrong with the electronic voting machine and this could result in the wrong person being elected to power. I need tangible evidence that my vote is recorded correctly.
Mr. McCarthy: Mr. Steentjes has made a few statements and I am afraid the Department is damned in the eyes of its own experts. Mr. Steentjes said that general computers sometimes get blue screens and stop. This is precisely the type of computer the Department proposes to use for the counting of votes.
I agree that the Nedap machine is superb. It is extremely well engineered and records votes four times in the ballot modules. What happens in the module? It is a passive device that serves as a ballot box and is brought to the count centre. It will be exposed to the elements for a number of hours before it is counted. Granted, the votes inside it are recorded four times, yet because of the number of machines we have, one of those devices will suffer a single event upset. Precautions have been put in place by recording the vote twice - it is recorded and inverted in the first chip and a recorded for a second time and again inverted in the second chip. Will Mr. Steentjes tell us what rules are applied in the counting system to judge which copy is real and which is damaged when the chips are read? How often have the "internal voting rules" in fail-safe systems been triggered? Perhaps it has never happened or it may have happened a number of times.
The ballot modules carry the preference of the voters to the counting centres. As Mr. Steentjes said, a machine will occasionally fail and a back-up machine will be used, a so-called spare ballot. There is direct evidence in material I have read that the Department has not put into procedures with Groenendaal the correct accounting for occasions when spare ballot modules are used in a polling station. These will be used occasionally and this will not be known when one returns to the count centre unless one carefully checks what the presiding officer signed for and returned. They are still testing the traceability, accuracy and tracking of this before the so-called release for mix and counting takes place. I draw Mr. Groenendaal's attention to an error, which occurred during ERS testing last year, but was fixed. During the test a vote appeared to have been lost after a transfer and after that point the number of votes was one fewer than at the start. The error occurred in mature software, version 84. Version 85 probably fixed the error, but this is an example of what is currently going wrong in the IES software written by Mr. Groenendaal. There are many others.
From the point of view of software development, my concern is that in the test records, which I reviewed yesterday, these incidents are not numbered - there is no bug numbering or tracking and no resolutions are reported by the developers to the owners in the Department. There is no evidence that formal procedures are in place for fixing these and there is evidence that the ERS company is not reporting bugs to the Department but directly to the developer, who sends back software to be tested further. That is a dangerous process in a system that needs to be statutorily controlled.
Mr. Steentjes mentioned that he tests his devices with 16 kV ESD. In fact, the energy of cosmic rays is 10 GeV, which is far higher, and cannot be protected against, only coped with. I know a little about this because I am a physicist. These are examples of the real problems with the system. The general design of the Nedap system is quite strong and it has coped as well as human design can cope with the occasional error. We are human, so the systems we invent are not perfect. There are even ambiguities in the statutory counting rules that are giving grief to the Department and the software developers, who do not know what to do about eliminating multiple lowest continuing candidates with zero votes, although that is not likely to arise in the context of Irish elections. The greatest difficulty for computer systems is dealing with the null case - the case in which there is a zero quantity of something. This is far more difficult to deal with in software than any positive or negative quantity, because the system must deal with an absence. It comes very close to the absence of a paper trail.
To take up Mr. Callan's comment about the difficulty of managing a paper trail, we have no difficulty in managing paper today. We must treat the paper trail docket in the same manner as today's ballot, with suitable legislative controls, either primary or secondary. The docket is given to the voter by the machine at the point at which the vote is cast. Perhaps a second button would be required. It must be folded and the back of it must be presented to the presiding officer, placed in the ballot box we have today and sealed.
When the software reads in the preferences from the ballot module, I know it records the voter number as randomised. Does it also record the ballot module number? If it does, Nathean's review has told us these two numbers are kept after mixing and thus at any time the contents of a ballot module may be checked on a random basis by using the paper in the ballot box. We must incorporate this before we can trust the system.
Deputy Kelleher: I thank Mr. McCarthy for his contribution. Under the system of paper verification a person goes to the voting machine and casts his vote electronically and then takes the paper verification ballot, looks at it and presents it to the returning officer in a ballot box. This provides an opportunity to scupper or undermine the integrity of the election because he could state that the vote he cast is not what is on the ballot paper. If several people did this in an orchestrated fashion the integrity of the election could be undermined. Could Mr. McCarthy tell us whether this has been considered?
Mr. McCarthy: The machine records both the electronic vote and the paper ballot. It is the machine that prints the piece of paper and records the electronic equivalent. I understand the opportunity of changing one's mind is always there. Whether, through legislation, we allow for this after the paper has been printed is a matter for the Deputies to decide.
Deputy Kelleher: Mr. McCarthy is missing the point. The person would not actually be changing his mind but saying the machine did not accurately turn out his vote.
Mr. McCarthy: The voter only has one thing in his hand at that time and he also has a piece of trust. The one thing in his hand is the paper record of his vote and it is what he input because if it is otherwise, he must not have cast it. We must invent a two-phase commit procedure - a common thing in software - whereby if one decides one wants to do something, one writes it into the system, then checks it is in the system, and then knows it is done. If a person decides to vote in a certain pattern he presses the buttons. There is no opportunity for people to press them backwards.
Deputy Kelleher: People who have given presentations to the committee have stated there is an inherent flaw in the system whereby a voting machine could move votes - one in 20, one in 40, one in 100 or one in 1,000. This was stated by Ms McGaley last week. It could create difficulties.
Mr. McCarthy: The proof of the pudding is that the paper ballots are available for the normal counts. We count the contents of the entire election or a selected ballot module against the records from the election or module, post facto. We should do this on a random basis to provide trust in the system. I do not follow the Deputy's contention that it would be an opportunity for mischief. I do not see how the mischief could be created because the individual voter's intent is recorded by the machine and printed on the paper and, as we know, it becomes anonymous. The machine does a fine job of making it anonymous in the ballot module. It is an anonymous but consistent record.
The Belgium system records the vote on a magnetic card. It is almost the same thing except it benefits from being reusable and it meets Mr. Groenendaal's desire to do away with paper. In Belgium they are lucky to have a ballot box physically attached to the computer containing the magnetic cards of all the voters of the previous day. During one test the cards were run through the machine again and counted, resulting in a discrepancy of 4,096, which did not occur in the voting machine but in the counting machine. We have two completely separate systems, meaning two sets of software and two separate tests. We must have trust in each system separately. I have far more trust in the Nedap machine than I have in the ordinary Microsoft PC, with software written by Bill Gates and his company, on which we will count our votes, with blue screens and everything.
Ms McGaley: The question asked by Deputy Kelleher was also asked last week. If a voter casts his vote in a Nedap machine and claims the machine will not allow him to make his vote, that is the same problem as occurs when the machine prints a ballot and the voter claims it is not the correct one. The problem is introduced by the electronic voting machine, not by the paper ballots.
Mr. Steentjes: As Mr. McCarthy said, the voting machine is trustworthy. That is very important because the votes are in the ballot box, allowing for counts and recounts any time. What is important is that the votes are available. One cannot ask people to come and vote again.
Mr. Callan: I am not a technical expert, but it is worth pointing out that in addition to the four-way storage of each vote, as mentioned by Mr. Steentjes, there is a backup module in each machine in case of untoward events, so there is double the security in the event of any breakdown or difficulty.
We would be willing to engage with Mr. McCarthy to deal with the detailed set of questions he has put to us. Some of his arguments were a little difficult because of his limited access to our background material, but we will be remedying that early in the new year with the publication on our website of a suite of reports relevant to the certification of the whole process. We will send those reports to all concerned. Mr. McCarthy is developing some rather invidious conclusions on the standards and professionalism of the work carried out so far, but we hope to satisfy him in our response to the 40 questions he posed. Some of his arguments seem to amount to saying that a computer has no place anywhere near the electoral process. I find that a difficult proposition in terms of the prevalence of computer use in modern life. It is not accepted by an increasing number of electoral authorities and governments around the world, or by the people of the Netherlands and Cologne who are benefiting from the system being extended to Ireland. We will engage more fully with Mr. McCarthy when we have had the opportunity to study the 40 questions in more detail.
Deputy Gilmore: I would like to hear Mr. Cochran respond to the assertion by Mr. Gronendaal that if 50,000 votes go into the system in a particular constituency, those 50,000 votes will be accurately recorded and counted. Mr. Cochran dealt with this issue at the last meeting and I would like to hear him respond. I asked earlier about the ownership of the source code, and whether it can be released.
Deputy J. Brady: I was elected by means of this system at the last general election. We heard then some of the same type of negativity that we are hearing from some quarters here today. In my constituency at the time of the general election it was suggested that the elderly, the young and those not interested in computers would not vote. The constituency turnout was nevertheless tremendous, as it was elsewhere. I have the height of praise for the system.