from the every-vote-10101011's dept.
On Wednesday 15th of March, there are (were) general elections in the Netherlands. A vote is cast by marking the chosen candidate with a red pencil on a (large) ballot. Vote counting is manual. Below is a short history of how the Netherlands got to this point.
Background: voting in the Netherlands
First up: voting in the Netherlands is rather different than voting in the USA. In the Netherlands, every voter gets to cast one vote. There's a huge list of candidates (400-600), who are grouped into ordered lists (i.e., the various parties).
There are 150 seats in the House. To get elected, you need.... 1/150th of the total number of votes.
(that sounds almost reasonable, right?)
If you're short (or over), the votes that aren't used by you default to the party. Seats are then assigned to the folks on the party's list in the order they appear on the list. So, if after everyone was directly elected, a party receives 6 / 150th of the votes, then the first 6 persons on the list who did not win a seat themselves, win a seat.
Usually this process does not allocate all seats, and there's a process for that as well (D'Hondt method, if you want to be precise).
The TL;DR version: people vote for exactly one candidate out of a few hundred candidates. Every vote counts. Even if your candidate is not elected, by voting you've raised the total number of votes, and therefore the threshold that needs to be passed (1/150th of the vote) to win a seat.
Machine voting in the Netherlands
The Netherlands enjoyed machine voting for a long time. Prior to my existence, mechanical devices were in use. These were superseded by electronic voting machines. The machine that was used the most was the Nedap machine: sort of an extra-large checkerboard of buttons, on which a ballot with candidates was placed. You'd press the button of the candidate of your choice, a tiny LED screen on top would list the party and the candidate's name of the button you had pressed, you press the 'confirm' button next to the tiny display and you had voted.
This system facilitated vote counting enormously. To count votes, you'd just press a button and out came a "shopping receipt" with the vote count. A recount was even easier: just press the button again! Couldn't be easier.
Of course, there's a few security issues with that, but hey :)
Back to the red pencil: security issues with machine voting
Around 2007, the heat was turned up under the feet of voting machines. They suffered from various flaws: no meaningful recounts, no meaningful way to verify that the result had any relation to the voter input, etc.
At one point, Nedap claimed their machines were not computers. An opposing party countered this claim by making one of the Nedaps play chess (by inserting their own PROM chip onto the board). This effectively demonstrated that the machine could do anything whatsoever, and that verification was completely impossible.
Amazingly enough, that was not the thing that got these machines banned. What got these machines banned was the displaying of the party's name. As it happens, there was exactly one party who's name includes an accent: CDA (fully known as "christen-democratisch appèl"). That one accent was enough to get voting machines banned.
As it turns out, the emanations from the ancient, tiny LED screen depended on what was displayed. Before you say "well gosh jolly, who'dda thunk": determining what was displayed based on those emanations was *hard*.
Except for the accented character. I believe it was due to that one character using an extra bit (8-bits instead of 7 bits). At any rate, the emanations for this character could be easily distinguished from emanations lacking this character. Moreover, both types of emanations could be distinguished from when the screen was off.
A group of hacktivists (before this term was widely used), by the name of "Wij Vertrouwen Stemcomputers Niet", seized upon this. They had already shown that the Nedap could play chess, but now they constructed a simple display (converted TomTom) with a large antenna. The display would show when a vote was cast, and whether that vote was a vote for CDA or not. From outside the precinct.
That got Nedaps banned. In the ensuing fallout, security of the other manufacturers' machines was also enormously under par, so in one fell swoop all voting machines got banned. Voting was done in the traditional fashion: paper ballots, and a red pencil.
Handcounting of votes
Of course, the paper ballots had to be hand counted. You could probably design a system that is able to read this A2.5-ish ballot and determine where the mark is, but a trustworthy system that is cheap enough to deploy to all precincts (guesstimate: about 10.000), and easy and robust enough to be used accurately by folks who have never seen this before?
Yup, it's counting by hand.
Aggregation of votes
Aggregating the votes is somewhat tricky. Each precinct handcounts its results, which then need to be aggregated. This happens first at the municipal level. Up to recently, special software was used for this. Again, security was an afterthought - in the software and in the procedures used.
After completing the count, the count would be entered into a TXT file, which was saved onto a USB key. Then, someone would take the USB key to town hall. (I kid you not.) After that, the software would take over. The software, which could be installed on any system, including Windows XP (which was known to be on the way out when the software was developed). The software has its share of problems (installs a webserver but doesn't need internet, using HTTP to connect to local webserver, using SHA1, storing SHA1 hashes with the data they are "securing", emailing result-files without encryption,...). This was found out thanks to an ethical hacker, who did a teardown of this software based on a Youtube instruction video (I am not making this up!):
I am now at 03:44 minutes into this epic instruction video...
The responsible minister could do little else but hire a security company to perform a security audit of the software. Unsurprisingly, they reached more or less the same conclusions as the ethical hacker. They did state some rules under which the software could be used as a backup.
Determining the results of the 2017 elections
Which is where we are now. Each precinct will hand-count the votes. These results are then aggregated manually at the municipal level and at higher levels. Software may be used on stand-alone, unconnected computers to validate the result of the manual aggregations. Paper is leading, meaning that if the two aggregations differ, we will turn to the paper count and recount that to verify that it is correct.
So that is that: we were using machines but they were horrendously insecure. We were using software to aggregate votes in a horrendously insecure way. We are voting today (yesterday?) with red pencil and paper, hand counting votes and manual aggregation of votes.
Every once in a while, someone suggests a "better" way to do it. Usually "better" translates into "more convenient, broken security". Some folks call the current system old-fashioned. To me, old-fashioned may be a downside for clothing, but I don't mind it in a voting system.