This is a sad day for technology. I love it when technology enables progress and efficiency in business and society. It saddens me when progress is stopped over security fears. I can certainly appreciate the risk management logic with e-voting, especially in times of suspected elections influence through hacking. However, I wonder whether the below case is more a question of a poor risk management practice causing a setback to progress.
The Dutch Government has now fully rolled back their evoting program, reverting to a fully manual processing, counting and reporting of voting ballots. In 2008, the Dutch Government had already banned voting machines over security concerns (“We Do Not Trust Voting Machines” was the motto of a local activist group at the time). Since 2008, computers were just used to process the district vote local results, aggregating them for national result calculation. The software used was essentially a reporting (BI) tool in my understanding.
The reason for the rollback is over security holes and vulnerabilities of the software (“OSV”), amounting to a “critical” risk, because of a lack of transparency (“no final paper audit is performed to see if the analog and digital vote count is the same”).
The vulnerabilities reported on OSV include:
- Outdated, and insecure, Operating System environments (e.g. Windows XP)
- Unprotected voting data storage and transfer: “OSV stores results in an unencrypted XML file, and voting results are transferred via unencrypted USB sticks or unencrypted email over the internet.”
It would appear, accordingly to the report from infosecurity-magazine, that a key element of the Dutch Government decision is based on a lack of basic information security hygiene of the solution used to date. I wonder whether a correction of risk management practices would have downgraded enough the overall risk of election result tampering, and whether keeping a technology assisted voting solution would have outweighed the impact (logistics, cost, etc.) of a full revert to manual operations.