SoS - Society - Electronic voting in the Netherlands

This Fall, a chain of events has completely changed the e-voting battleground in the Netherlands. The series of events has been a bit complicated, and even the Dutch media had trouble understanding it. Main players are the people of the campaign wijvertrouwenstemcomputersniet.nl (wedonttrustvotingcomputers.nl). They managed to get hold of a couple of Nedap voting machines and took them apart. They made the results of their analysis public on October 4, with the general elections scheduled for November 22. Main problems were the easy replacement of the program chips, and the tempest issue. Also, they found problems with the security of the storage facilities of the machines. The full report can be found on their website.

The tempest attack was particularly successful because there is a special character in the full name of one of the parties. This requires the display to switch to a different mode with a different frequency. The minister responded to the findings of the campaign people by having all the chips replaced with non-reprogrammable ones (not really a solution, but the public bought it), seals on all the machines, and having the intelligence service look into the tempest problem.

The fix for the special character problem was easy (don't use special characters). With that implemented, the signal emitted from the Nedaps was fairly limited. However, the intelligence service also looked into a different type of voting machine, a touch-screen based system produced by the former state press SDU. They found that the tempest issue was much worse there, and someone outside the polling station might be able to reconstruct the whole screen from the signal.

The minister then decertified this type three weeks before the elections, not because it did not meet the requirements (as far as I am aware, there is not much in the requirements about security, and certainly not specific issues such as tempest), but because it would endanger the order on election day. This affected about 10% of the voter population. Some districts got spare Nedaps, but others had to use paper ballots, especially because one of the older Nedap types was decertified later. Apparently, Nedap has been aware of the tempest issue because of discussions in Germany.

There was some discussion about whether eavesdropping on election day was such a realistic scenario that it would justify the decertification. In any case, the campaign was very happy to have a major event that backed their concerns, even though the focus had shifted from verifiability to confidentiality. And the minister was happy to have created an image of a decisive government.

(One of the other things the campaign achieved is the change of the term "voting machine" into "voting computer", which I think is very significant in public perception issues.)

One of the other concessions of the minister was the initiation of a commission of independent experts, who would look into the future of e-voting after the elections. I have not had a confirmation that this commission has been formed by now. The elections for the provinces are in March, and it is in any case not very likely that substantial change can be implemented before that date.

News

Hackers play chess against Dutch voting machines: campaign threatens with lawsuit against the State
Major campaign against e-voting launched in the Netherlands. See the campaign website (in Dutch). Leader of the campaign is Rop Gonggrijp.
First e-ballot via SMS text message proves a success in Switzerland
E-voting experts call for revised security guidelines
VVD (Dutch liberal party) wants Internet voting in 2007 parliament elections
Beverwijk local authorities propose Internet voting in 2006 local elections
Report of the Irish Commission on Electronic Voting on the purchased voting system (the Dutch Nedap/Powervote)
Report on statistical tendency of voting machines towards support for Bush in Florida which is criticized.
Article in Scientific American on electronic voting
Internet elections for public water management authorities (in Dutch)
E-voting systems must be based on open standards, says Council of Europe
Dutch e-voting software goes open source
Voting via Internet in European elections
Questions to the Dutch parliament referring to research by the Irish-British company Zerflow on voting machines also used in the Netherlands.

In most districts in the Netherlands, voting is done electronically. Thus far, this means that in the voting stations, a voting machine is used instead of paper ballots. Current investigations should lead to a decision on online voting, in which the voter does not need to travel to the voting station at all. This page provides an overview over the most important aspects of the use of electronic voting devices in elections in the Netherlands. The important issues are presented point by point. Also, legislation about electronic voting is covered.

By Wolter Pieters, Security of Systems group, Radboud University Nijmegen

Last update December 20, 2006

History of voting in the Netherlands

Source: www.parlement.com, an excellent site on Dutch politics (in Dutch, alas)

1848: constitution revision: direct election of the "Tweede Kamer" (comparable to House of Commons) based on "censuskiesrecht" (only males above the age of 23 who pay a certain amount of taxes can vote, i.e. about 11% of the adult male population)
1917: general male franchise, based on proportional representation; obligation to vote
1919: general female franchise
1928: introduction of "stemmen bij volmacht" (voting by authorization): in the Netherlands, you can authorize other people to vote for you; the possibilities for authorization have been restricted over time, because, especially in local elections, there had been cases of active vote gathering; by now, you are allowed to have only 2 authorizations
1965: legal possibility to use electronic voting machines in elections
1970: abolishment of the obligation to vote
1983: possibility to vote by postal ballot for Dutch citizens living abroad or staying abroad during the elections; the postal ballot needs to be accompanied by a signed statement and sent to the election office in The Hague or a special office in the country of residence; a (manual) procedure is invoked before counting the votes to guarantee the secret ballot, even in presence of a signature in the same envelope
1994: government starts stimulating the use of electronic voting machines

History of electronic voting in the Netherlands

The Netherlands have been ahead in electronic voting for some time. Since the late nineties, voting machines are used extensively during elections. At the time, remarkably little attention has been given to security and verification possibilities. The main issues were related to the operability of the machines, especially by elderly people. How the votes were counted and how the result was calculated did not seem to be of any interest to anyone.

Since 1997, an extensive list of requirements exists that voting machines have to meet. Demands on the verifiability of the calculations, however, largely remain unspecified. The possibility of recount is not mentioned in the concerning document. Moreover, criteria for result calculation software have not been assessed at all. In 1999, local authorities were reported to have used self-written software for this purpose.

Voting machines in the Netherlands have to be approved by an evaluation institute. Although multiple institutes could be designated, only TNO has been involved in this procedure thus far. Only TNO gets the source code of the software running on the machines, and the evaluation reports are not public either. This means that it is impossible for Dutch citizens to monitor the election process.

The most widely used voting machines are produced by the company Nedap. The only verification possibility that these machines offer is the comparison of the votes per candidate to the votes per party, and to the total number of votes cast. This check, however, is based on votes that have already been processed by the machine. No print is made of the individual votes for recount purposes. Thus, the "original" choice of the voter is not available anymore.

Due to the secrecy of the source code and the evaluation reports, and the lack of a paper audit trail for recount purposes, criticism in the Netherlands towards the obscurity of the election procedure when using voting machines has raised. Attempts to retrieve the source code via the "Wet Openbaarheid van Bestuur" (law on public nature of government) failed, because the source code is intellectual property of the producer. But, now that Ireland wants to use Nedap voting machines as well, and much discussion has taken place there, Dutch politicians start asking questions about the safety and verifiability of such machines. Maybe this will lead to some fundamental changes in the near future.

Remote voting

Currently there are two ongoing initiatives in the Netherlands concerning voting via the web or via phone.

Internet voting by the Hoogheemraadschap Rijnland.
Kiezen op afstand, by the ministery of internal affairs.

Hoogheemraadschap Rijnland

A hoogheemraadschap or waterschap is a regional goverment body for water management. Its officials are elected via ordinary mail, but the voter participation for these elections is typically fairly low. An experiment with election via the internet has been conducted in the regions Rijnland and Dommel in 2004, with potentially 1 million voters participating.

The system used is called RIES, and was developed by Rijnland in cooperation with the company Mullpon. By clever use of hash functions, the system is simple as well as reasonably secure. Whereas the hashes of all possible votes are public, it is impossible to deduce valid votes from them without the required voter key. Of course, the relation between voter and voter key should not be stored anywhere, but the same holds for bank access codes. Procedures that achieve this therefore already exist.

First of all, a reference table is published before the elections, including (anonymously) for each voter the hashes of all possible votes, linking those to the candidates. It is possible to compare the number of voters in this table with the number of registered voters.

After the elections a document with all received votes is published. This allows for two important verifications: a voter can verify his/her own vote, including the correspondence to the chosen candidate, and anyone can do an independent calculation of the result of the elections, based on this document and the reference table published before the elections. If your vote has been registered wrongly, or not at all, you can detect it. And if the result is incorrect given the received votes, you can detect it as well.

Ministry of Internal Affairs

The ministry of internal affairs has organised an experiment with "remote voting" (via web and telephone) for the election of the European Parliament on 10 june 2004. Participation was intended for expatriats, who had the option to vote by mail before. It is typically used by 20-30 thousand people, of the about 600.000 potential participants. The website that has been used is www.internetstembureau.nl.

The remote voting project is described in "Definitierapport kiezen op afstand". The main lines of the system are as follows. Voters register by ordinary "snail" mail, and choose their own accesscode as password. In return they receive a votecode as "login", together with a list of candidates, each with his/her own candidatecode. There were 1000 different lists in the experiment.

The system is being built by LogicaCMG, but the ministery owns the source code. Hence it has been made public, as is intended.

The responsible minister, De Graaf, reports in his letter to parliament of 8 oct. 2003 that the system has been discussed in a meeting on 25 aug. 2003 with external experts, coming from academia (including Bart Jacobs) and industry, see the their findings in an attachement to this letter (at the end). They urged the ministry to: be more open, separate concerns, pay more attention to fraud from within, perform more tests and evaluations (by independent parties), and improve logging.

The same letter to parliament also contains a risk analysis.

Some considerations

During the European elections in 2004, the Dutch government initiated an experiment in online voting. Citizens who stayed abroad at election day could cast their vote via Internet or phone. The system was designed by Logica CMG. However, the government demanded the transfer of the intellectual property rights of the source code with the system. This made it possible to publish the source code after the elections.

The source code zip file, published on the website www.ososs.nl, contains all Java classes written specifically for the online voting system. Classes that are part of general Logica CMG technology are not open source. This means that it is only possible to inspect the (partial) source, not to compile and run it. It can be argued that this is a serious limitation to an open source system. However, the main goal of the government (transparency) is not that much affected by the impossibility to run the system. After all, one does not want to include the source code of the operating system of the server either.

Another issue is how to guarantee that the published source corresponds to the program that was running on the server at election day. A suggestion by our group was to calculate a hash (unique fingerprint) of the source code before the elections, and publish this with the source after the elections. This enables citizens to verify that the code has not been changed after the elections. However, it turns out that some parts of the source code have been changed for publication purposes (like key lengths, fixed keys, etc.). So even if a hash would have been published, verification would be impossible.

Of course, even if the source has not been modified since the elections, this does not prove that the compiled code run on the server corresponds to the source. So, the compiled code needs to be included in the hash, and someone will have to verify that this hash was indeed calculated on the server, on which the associated compiled code was actually running at election day.

Questions that should be asked with regard to this experiment include:

Do we want full open source for future government IT projects (all code used in the project should be open source)?
How can we be sure that the source code corresponds to the program actually running?

History of legislation concerning electronic voting

This section contains relevant events in the history of legislation on electronic voting in the Netherlands. The available material has been obtained via the Internet. The amount of data about the period before 1995 is therefore limited.

1989: Regulation for approval of voting devices

July 11, 1991: Formation of "Projectgroep Specificaties Stemmachines" (Project Group Specifications Voting Machines). Wanted: unequivocal functional and technical requirements that voting machines have to meet. Planned completion: December 31, 1991. We have not been able to find a report yet.

9 April 1997: Two changes in the Voting Decree
1. Phased voting allowed on voting devices: first one chooses a party, then a candidate. Consequence: the complete list of candidates no longer needs to be visible on the devices;
2. Voting devices may be used for two elections at the same time, in case of combined elections (e.g., parliament + referendum, or provincial + local elections).

11 July 1997: "Regeling voorwaarden en goedkeuring stemmachines" (regulation for requirements and approval of voting devices), replaces Regulation for approval of voting devices 1989. Important changes:
1. Extensive approval criteria for voting devices stated officially;
2. TNO loses monopoly on licensing;
3. Mandatory advice by the Kiesraad (Election Council) on approval of a voting machine is abolished;
4. Mandatory periodical testing once every four years;
5. Extension of the regulation that enables withdrawal of licenses.
Conditions for approval institutes:
1. corporate personality;
2. availability of sufficient personnel, as well as required resources and equipment;
3. technical skill and professional integrity of personnel;
4. independence in licensing, writing of reports and providing testimonies of personnel for any group or person having direct or indirect interests in voting devices;
5. maintaining professional secrecy by personnel;
6. insurance against legal liability.
Procedure approval of voting devices:
1. Approval of prototype by licensing institution;
2. Approval for use in elections by testing of a device selected out of at least 10 machines, based on the specifications of the prototype;
3. Recurrent testing once every four years as in 2.

22 July 1997: Designation of TNO Centre for Evaluation of Instrumentation and Security Technology as a licensing institution. This means that, in fact, nothing changes, despite the government's opinion that other institutions could be designated as well, which would be good for market competition.

3 June 1998: State Secretary of Internal Affairs asks for the Election Council's advice on:
1. The possibility of printing a vote as proof that the vote has been registered; optionally, also for manual recount;
2. The necessity of licensing result calculation software and computers used in result calculation;
3. Worries about monopoly position of Nedap: what if this manufacturer cannot/is not allowed to provide machines/assistance anymore?
5 October 1998: Election Council advises establishing a subcommittee on automation in elections.
28 May 1999: Report about automation in voting "Stand van zaken automatisering rond verkiezingsproces" by Expertise Centrum together with the subcommittee of the Election Council. It is advised to consider posing legal demands on systems for calculating voting results by a testing and approval procedure, and to guarantee reliability and continuity by a review procedure. Remarkable: one of the interviewed local authorities used a self-written program for calculating results. Furthermore, purchased software sometimes makes calculation errors, which have to be corrected by the supplier.
1 September 1999: Report about developments in voting legislation "Ontwikkelingen in het kiesrecht" by the Ministry of Internal Affairs, sent to the concerned committee of Parliament. The report copies the recommendations from the report of the subcommittee of the Election Council.

10 September 2001: Change in Voting Decree: Voting devices may also be licensed for use in more than two simultaneous votings.

Requirements for voting machines

The full requirements specification, consisting of 14 sections, can be found as an appendix to the "Regeling voorwaarden en goedkeuring stemmachines". We quote and translate the items from section 8: Reliability and security of the voting machine.

The vote stored in the vote memory of the voting machine is the vote cast and confirmed by the voter.
A cast vote cannot be lost due to breakdown of the energy supply, failure of one component, the specified environmental conditions, normal use or mistakes in the operation of the voting machine.
The read-in lists of candidates are maintained completely in case of breakdown of the energy supply, the specified environmental conditions, normal use or mistakes in the operation of the voting machine.
The functions of the voting machine are maintained completely in case of breakdown of the energy supply, the specified environmental conditions, normal use or mistakes in the operation of the voting machine.
The storage of the cast votes is made redundant. The vote is stored in such a redundant way in the vote memory, that it can be proved that the failure rate is 1 x 10E-6. If there is a discrepancy in the redundant storage, the machine will report this to the voter and the voting station.
The voting machine is able to avoid or reduce the possibilities for accidental or intended incorrect use as much as is technically feasible in fairness.
The way of vote storage does not enable possibilities to derive the choice of individual voters.
The voting machine has features which help to avoid erroneous actions during repair, maintenance and checks, for example by mechanical features which preclude assembly in wrong positions or in wrong places.
The voting machine may have functions which are not described in the Voting Law, the Voting Decree, or this appendix, as long as they do not impair the required functionality of the voting machine and are related to the voting procedure.

Note that the possibility of recount is not mentioned at all. Furthermore, most of the requirements above concern correctness under normal circumstances, and not especially security against possible election fraud.

Electronic voting in the Netherlands

Summary of events in Fall 2006, posted December 20

News

History of voting in the Netherlands

History of electronic voting in the Netherlands

Remote voting

Hoogheemraadschap Rijnland

Ministry of Internal Affairs

Some considerations

Basic principles of elections

Possibilities for electronic voting

Advantages voting machines / voting PCs over paper ballots

Advantages voting PCs over voting machines

Involved parties

Other sources (in Dutch)

History of legislation concerning electronic voting

Requirements for voting machines

Licensed voting machines

Links