Parliamentary Statement for Bill L-132Dr. Joseph KiniryProfessor of Software Engineering and Head of Software Engineering SectionDepartment of Applied Mathematics and Computer ScienceTechnical University of Denmark12 March 2013

Executive Summary

Moving forward with trials within the framing of the the current bill (L-132) is following thewell-worn path of other nations. In general, other nations have spent enormous amountsof money and time in creating computer-based election systems that decrease publiccontrol, harm voter trust, decrease voter turnout, and, at times, caused elections to fail.Denmark has an opportunity in L-132 to do something different. I frame this distinction,and then provide several explicit recommendations for revision of L-132. If suchrecommendations were adopted, it opens the door for conducting high quality,scientiﬁcally-grounded, binding trials in computer-based elections at reasonable cost.

Speech

Good morning ladies and gentleman. My name is Joseph Kiniry. Thank you for invitingme here today to speak on this topic. I am going to give you a brief statement onInternational Experiences and Denmark’s Opportunity with respect to Parliamentary billL-132.Firstly, a bit of background. I am what one might call an internationally-recognized expertin electronic elections, software engineering of critical systems, information security, andlogic. I have worked in the subﬁeld of electronic elections for ten years in three countries.I was a part of the active research and activist community in The Netherlands and Ireland,directly or indirectly advised both governments, and had some hand in both of thosecountries deciding to forbid, by law, computer-based elections.In my decade of activity in this research ﬁeld, I have rarely heard a researcher speakpositively about the use of technology in elections, both in the polling booth for what wecall “supervised” elections, as we have here in Denmark, and for remote elections over thetelephone or internet, as we have heard about in Norway and Estonia. Virtually all publictechnology experts like myself are highly critical of compute-based voting, or what iscolloquially known as “evoting”.I can say this with conﬁdence because the community has had several worldwideconferences, during which manifestos summarizing the community’s perspective onevoting were crafted by dozens of top researchers, including myself. I provided one suchmanifesto as background literature to this committee. Likewise, many independent studiesand government reports written by researchers like myself have stated the sameconclusion: today we do not know how to create a trustworthy traditional supervisedevoting system (with a computer in the polling booth) or a remote evoting system (whereone votes over the internet) that is both correct and secure and respects the fundamentalprinciples of democratic elections.On the other hand, I believe that technology does have a role to play in elections, but onlyto solve speciﬁc problems, and only if such systems are developed in a public, open,transparent fashion where correctness and security are ﬁrst principles. Within the

DemTech project, which I co-lead with, among others, Carsten Schürmann who isfollowing me here today, we call this methodology of software and hardware developmentTrust-by-Design, and it is one of my core research focuses today.At its core, the primary challenge with computers in elections is that elections must havepublic control. The citizenry involved in the election must be able to understand and trustthe electoral apparatus—the people, pieces of paper, and computers—as well as itsoutcome—the election result. And moreover, if information technology is introduced intoan election, it must be developed in a public, open, and transparent fashion.Unfortunately, corporations who sell electronic voting software or services are universallyagainst public, open, and transparent IT systems. Their main argument for beingproprietary, closed, and opaque is for the sake of security. It is, what we in the informationsecurity community call, “security through obscurity”. This claim is false.A system is secure only when it is secure in the light of day, under full public view. Allsystems we all use every day for virtually all of our online commerce are public, open,transparent systems. To put it plainly, public, open, and transparent IT system are thecornerstone of secure online systems. All of the business that we do as corporations orindividuals, all the email that we read, and all of the ﬁles we share in the cloud are secureexactly because all of the software that keeps it secure is public, open, and transparent.Furthermore, election IT systems must be absolutely correct and absolutely secure. Thismeans that they must be developed according to the highest levels of internationalstandards for correctness and security. Unfortunately, no corporate, and very fewacademic, election systems are developed against such standards. In fact, my group isone of the few in the world that does such election systems engineering.This is no trivial matter because, to build each new election system, (1) fundamentalscientiﬁc problems, mainly involving logic and arithmetic via cryptography, must be solved,(2) technologies must be invented that turn these mathematical foundations into usablereality, and (3) those technologies must be applied in a rigorous, transparent fashion. Thisis difﬁcult, but not impossible, engineering, and there are ﬁrms around the world that havethese skills.I am also something of an academic-activist who uses hacking for good, or what some calla “hacktivist”. Hacktivists like myself analyze corporate and academic elections hardwareand software for correctness and security ﬂaws.Disappointingly, all election systems the hacktivist community has analyzed haveegregious, fundamental correctness and security ﬂaws that make them unﬁt for use inlocal or national elections. Such ﬂaws—many of which are known, but undivulged, by thecorporations that make the equipment—are one of the reasons that evoting has beenbanned in the Netherlands and Ireland. Moreover, their architectures are typically soﬂawed that they cannot be “patch up” or ﬁxed. Therefore, only systems developed fromscratch, with the correct principles of publicness, openness, and transparency, with a focuson correctness and security as mandatory requirements, have a chance at being ﬁt forlocal and national elections.Perhaps surprisingly, it is rarely the case that an election tallying system counts the votesproperly, even in simple election schemes like those in the U.S.A. and the U.K., known asa “ﬁrst past the post” system. If we cannot even count who has the most votes in a trivial

scheme like that, what hope do vendors have, using poor engineering practices, tocorrectly implement more complex schemes like that which we have here in Denmark, likethe list-based scheme in the Netherlands, and like the proportional representation bysingle transferrable vote scheme of Ireland?Some academic experts in election system create free, Open Source, demonstration ITsystem as case studies in new mathematics, security, and engineering techniques. Thesesystems are also created to show governments and corporations that engineering electionsystems to the highest international correctness and security standards is, in fact, not onlypossible, but is cost-effective. In my research group, we have created, or are currentlyworking on, several such systems. Our focus is on aspects of elections like processingvoter lists, tallying ballots, rigorously validating others' tally systems, and a supervised,voter-veriﬁable paper audit trail-based (VVPAT) electronic voting system for researchexperimentation in novel, low-cost, end-to-end veriﬁable elections.I believe that Denmark has an opportunity to learn from others’ mistakes and wisely use ITfor democracy. Consequently, I recommend that the Ministry amend bill L-132, basedupon the criticisms and recommendations of IT and election experts that they have alreadyreceived, rather than accept the feedback and change little-to-nothing in the original bill.In particular, I recommend that trials must have a ﬁxed termination date and must bescientiﬁcally conducted by independent agents.I recommend that international IT standards of quality and security must be mandated forthe deployed systems.I recommend that all IT systems must be developed in a public, open, and transparentfashion, preferably with a methodology something like DemTech’s Trust-by-Designmethod.I recommend that such systems are used for election management, the creation andmaintenance of voter lists, generation of ballots and voter cards, the management ofpolling lists, and the reporting of results.I recommend that such systems are used to count ballots, so long as risk-limiting post-election audits are conducted.I recommend, contrary to the current path of the bill, that only the disabled use supervisedkiosk-based electronic voting systems to independently cast their secret traditional ballots.I do not recommend that the general public use such systems here in Denmark.The fundamental reason for this latter recommendation is that introducing any technologyinto supervised elections more complex than a piece of paper and a pen means that theelection is more opaque, more expensive, and has less public control. Furthermore, thereis no evidence that introducing technology into a local or national election improves voterturnout; in fact, it often harms turnout.I recommend that ballot design is changed, by adding a box in which one makes a mark,to decrease the number of spoiled ballots.

I recommend that computers should be used to analyze and optimize existing manualelection procedures to increase the accuracy and security, and decrease the cost ofcurrent elections.I recommend that manual tallying of ballots is done via an optimized sorting process,followed by weighing, rather than counting one-by-one, sorted ballot piles.These are the key points that DemTech has made to the Ministry, either via our høringsvaror in direct communication with Ministry ofﬁcials. These are the key points that I believeshould be adopted in the bill and, if they are adopted, I wholeheartedly support bindingtrials in digital elections here in Denmark. If these recommendations are not adopted andthe Ministry says, "trust that we'll do it right", then we are following a well-worn rut carvedby other nations, and hence I recommend rejecting the bill.If these changes are made Denmark will have learned from the mistakes of others, will belistening to digital election experts early in the process, and has some hope of deployingIT in a wise fashion for future elections. By doing so, the electorate may continue to trustthe election and we will have solved some of the major challenges of those responsible forrunning elections. Denmark would then be recognized as a thought-leader in digitalelections for its willingness to think different and not swallow vendors sales pitches, hook,line, and sinker.