A group of election security experts said after a deep dive into Australia’s electronic voting systems that they have “serious problems” with the accuracy, integrity and privacy with elections run by the Australian Capital Territory (ACT) Electoral Commission.
The team of four cybersecurity professionals concluded that the ACT e-voting system errors did not impact any election outcomes, but could potentially sway future vote counts if left uncorrected.
Dr. Andrew Conway, Dr. Thomas Haines, Prof. Vanessa Teague and T. Wilson-Brown aren’t accusing anyone of intentionally sabotaging the Australian electronic voting and counting system (EVACS), but are asking for more transparency from the government into the system’s current source code.
“We believe that the internet voting system is new, and that the voting, paper-ballot scanning and counting modules have been completely rewritten since 2016,” they said. “But we cannot be certain, because we have not seen any of the 2020 source code.”
The researchers also recommended the use of paper ballots and the suspension of internet voting.
“Secretive, unverifiable systems like the ones used in the ACT 2020 election make it relatively easy to change the recorded list of votes cast, in a way that observers cannot notice,” they said. “It also makes accidental errors more likely to remain undetected.”
Voting System Errors
After analyzing the EVACS code, the team found three critical errors, which were fixed before the team’s disclosure. First were count errors in the EVACS algorithm that amounted to a miscount of about 20 votes.
“Although some anomalies were as small as the sixth decimal place, some were much larger,” the report said.
The team is also critical of the government’s lack of regular software audits.
“This supports our recommendation that the code and related documents be made openly available to public scrutiny, rather than entrusted to small number of auditors chosen by Elections ACT,” they added.
Alarmingly, they also found that the system collects the time and place registered voters cast their ballots, presenting a potential privacy nightmare.
“The publicly released voter frequency data shows that at least one system was collecting voter times across all polling booths,” they said. “This increases the risk of vote disclosure, particularly if there are mistakes in the design or implementation of any of the vote-handling systems.”
Paper ballots would provide the ability for a vote audit to take place. As it stands, scans of official ballots are used in recount efforts, which the team says could be inaccurate.
“The current paper vote-scanning audit processes are not sufficient to guarantee the accuracy of the system,” the researchers said. “Specifically, the checks and audits performed by the commission are unable to detect certain kinds of errors. There are no checks for ballot papers that are actually informal, but scanned as formal.”
Australia is just one of many countries across the globe grappling with how to secure elections in a digital age.
Last fall U.S. voter databases were offered up for free on the Dark Web, and the Georgia elections were hit with a ransomware attack right in the middle of a heated 2020 election season.
The team also stressed the importance of allowing an independent audit of the e-voting system’s source code, which could help detect and correct errors before a recount is necessary. They are asking for access six months in advance of any election to the e-voting code, paper-ballot scanning code, counting code, voter-roll mark-off code, system requirements documentation and more.
Download our exclusive FREE Threatpost Insider eBook, “2021: The Evolution of Ransomware,” to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what’s next for ransomware and the related emerging risks. Get the whole story and DOWNLOAD the eBook now – on us!