Slashdot Mirror
Finnish Court Dismisses E-Voting Result
wizzor writes in with a follow-up on the Finnish municipal election in which 2% of the votes were lost by a defective e-voting system, and which the Helsinki Administrative Court had found acceptable. Now the Supreme Administrative Court of Finland has rejected the election results (original in Finnish; bad Google translation here) and ordered the election to be re-run. The submitter adds, "Apparently 98% of the votes isn't enough to determine how the remaining 2% voted, after all."
If the margin of victory was greater then 2 percent,
It was not, as best as I can tell from the translation:
Kauniainen municipality electronically of the votes lost to two percent, and for missing votes in the number would have been enough change in the outcome of the elections.
Just to clarify on this, most still voted with the traditional pen & paper methods. I guess E-voting was tested in some places. The finnish E-voting system was programmed by TietoEnator, which has had some questionable results in the past too in delivering working software. Still they get a lot of the government related jobs .. gee, wonder why ?
GeoKone.NET
Here's an article in non-google-translated English. Also contains some other links in English.
Electronic Frontier Finland (Effi) has an English article on this matter as well.
Actually the machines were supplied by local company called Tieto.
More about the case in English
Yle News
Helsingin Sanomat
Newsroom Finland
In municipal elections of Finland, each municipality chooses it's leaders. The amount of depends on the size of the municipality but in mine (Vantaa), there are 67 representatives for less than 200 000 people and not nearly everyone votes (it's closer to 100 000 people voting).
Add to that that we use different system than the USA. The person who gets most votes within any given party gets all the votes given for that party. The person who would have gotten second most votes gets half of the votes given to the whole party, the next person gets one third... And each politicians votes counted like that they are put against each other and the people with most votes at that point get the seats.
And we don't vote between two parties but a lot of them. In my municipality, there are representatives of 7 parties (and one chosen from outside party lists).
So a few votes can often completely change what parties get to be in power AND which representatives get in.
This is actually a solved problem. When you vote, you get a unique random sequence of characters. After the election is completed, a list of all votes is published. Next to each vote, the SHA1 sum of the voter's personal ID number concatenated with the random characters is listed. Example (truncated SHA1 sums):
64038c437f2c republicans
aea7fb41626d republicans
86895065f81f democrats
0ee79f4948b0 democrats
The random characters are never stored by the voting system, only the resulting hash. Any one person can verify that his vote has been counted, because he knows his own random characters and resulting hash. No one can find out what anyone else voted, because they don't have the random characters.
If you gave up secret voting, you could likely make a 'secure enough' voting system, since anyone could check their own vote in the system.
There's no need to give up on secret voting to get this. Thanks to advances in cryptography we can have secret *and* verifiable ballots. An example implementation can be found at Helios voting. Also, check out a description of a paper based system: Scratch and Vote [PDF]
The story isn't that well written. The system allowed the user to remove his ID card before the vote was registered. The lack of a paper trail is a large problem, and the lack of openness in the design doesn't help to gain the users' trust. Further, the system was designed by Tieto Oy (formerly TietoEnator), also responsible for the new systems at Sampo Bank (with numerous login problems, XSS exploits and such). Vestigia terrent.
Please check YOUR facts first. There were several problems:
- bad user interface design
- machines freezing up at the critical moment
- machines crashing when presented with the voting card
- instruction leaflet asking the voter to press "OK" once when twice was needed
- secret, closed source design
- no paper verification
- no public review possible of the algorithms etc
Of course, the publicity around this case centers on the first issue, because its the easiest to understand. But there were other problems, too, just read the witness statements from the actual appeals.
Finnish e-voting results annulled, municipalities to hold new elections by Electronic Frontier Finland ry (Effi), the best summary in English, IMO;
Helsingin Sanomat;
Helsinki Times;
The Brad Blog;
NewsRoom Finland;
YLE; and
Turre (the lawyers that won the case).
The voting system was provided by Tieto and Scytl. In their News Page, Scytl declares: "Scytl's Pnyx.core successfully used in local elections in Finland" Shouldn't they update this...? It is even possible that the 2% of the votes lost was due to the Pnyx.core, instead of usability issues with the voting terminals, as has been commonly assumed - who knows.
I'm also a Finn and I was counting the votes at the municipal elections in Helsinki late last year. The system is even more tamper proof than described previously. First of all, the ballot box is checked at the casting of the first vote that there's no extra votes within the box. The first vote is stamped (like the rest will be) and put in to the box. The parties have a right to set an observer for the whole time until the votes have been counted. The next day the votes are recounted (which is where I was part of):
All districts are dealt out randomly to counting groups. The groups then count the votes and if they agree on the number of votes with the first count - and don't disqualified any votes accepted previously due to certain criteria - then the result is accepted. The votes can be disqualified for multiple reasons: The vote paper might be completely unmarked and it is counted separately as an official form of protesting against every party. The other reasons are ambiguous number (usually trouble separating 1 from 7 and 6 from 0 or numbers that look different upside down, like 188 vs. 881 when a single vertical bar is used for number 1.), additional non-clarifying markings in the vote that could be used to link the person to the vote (to prevent vote buying & selling), lack of stamping (to prevent people slipping in multiple votes within the true vote) or using other than official voting paper in voting. Lot of votes disqualified contain all kinds of messages to the government, from a friendly "F U government!" to cryptic messages to God or Bavarian Illuminati.
If the result is in any way different from the previous count then it is dealt randomly to another counting group which will verify the result. All the disqualified votes go to the jurisdiction to give a final verdict on the votes and if possible decide the candidate the ambiguous vote is for.
All this counting is done in a group supervised by political parties, though in current stable political environment the supervision is only superficial. Being a member of this counting process has only increased my trust in paper voting and distrust in e-voting.
?SYNTAX ERROR
Internet-voting is absolute horror. It can be made technically sound but that's about it. Who can assure that it is my wife who gives the vote and not me who stole my wife's ID card or whatever (not that I would do so, just for example)? Who can assure that one isn't giving vote under physical threat? Rhetorical questions but current paper & pen method prevents these kinds of situations perfectly.
You don't know what you don't know.