Voting with pencil and paper in the Netherlands
Disclaimer: Views expressed in this commentary are those of the staff member. This commentary is independent of specific national or political interests. Views expressed do not necessarily represent the institutional position of International IDEA, its Board of Advisers or its Council of Member States.
At the beginning of February 2017, international media reported that due to concerns about cyber threats, all ballots in the Netherlands will be tallied manually for the upcoming elections on March 15. After already suspending the usage of voting machines in 2008, this is the second step back towards paper based voting for a country that has more than 20 years history of using voting and counting technologies.
The move back to a manual process was triggered by Dutch journalists who asked the IT Security Consultant and Ethical Hacker Sijmen Ruwhof to investigate whether it was possible to hack the elections in the Netherlands. Specifically, Mr. Ruwhof was requested to analyze the Ondersteunende Software Verkiezingen (OSV) application for weaknesses in parts of its cryptographic system.
Mr. Ruwhof’s analysis exposed several risks that eventually led to the announcement by Minister Plasterk that the votes would be tallied manually to prevent possible hacking attacks and disperse any doubts in the election results.
On the one hand, this reaction is very commendable as upholding the integrity of elections must be the ultimate priority for any election administration. On the other hand, switching back to a manual system will certainly create new challenges and questions. Will new, ad hoc created manual tallying processes be robust and free of mistakes? Can other electronic tools such as Excel sheets be used in a manual process and are such tools more secure than the OSV? Will it be possible to provide timely preliminary data to media such that first result projections are available on election day?
Pondering such questions, one wonders if an insecure OSV can still be used in a secure way. And indeed this may be possible when analyzing in detail how the election results are currently established.
In polling stations, all ballots are counted manually and the results are recorded on paper result sheets (proces-verbaal N 10). These results on paper provide crucial, unalterable evidence of the correct vote count at polling station level.
At the municipal level, polling station results are keyed into the OSV based on the paper-proces-verbaal N 10. After data entry, the OSV is used to tally the polling station results at the municipal level and to transmit the results for regional and national aggregation.
This is the very process that must be considered insecure according to the weaknesses discovered in Ruwhof’s analysis. The most severe of them being a paper audit, a comparison of digital and analog count, that is only optional. Additional key findings of the analysis include that results data is not sufficiently secured against manipulation during transmission and that the computers running the OSV software could be loaded with malicious software. Essentially this means that nobody can be sure that the final results established by the OSV are correct and have not been ‘hacked’ somewhere between data entry and the final result calculation.
There is, however, a simple way to find out if manipulation happened. Full publication of the election results according to open-data principles. Following these principles all data produced by the OSV system - down to the polling station level - needs to be published online. Once this data is public, all municipalities can be instructed to cross check the paper polling station result sheets (proces-verbaal N 10) in their custody against the polling station results published online. If the OSV and the result data it contains has indeed been compromised, this cross check would reveal discrepancies. Any irregularities can be then investigated and corrected using the original paper result sheets.
Moving to full open-data publication should not be seen as a large change for the Kiesraad that has already taken several steps towards high levels of technical and data transparency. Significant parts of the source code of the OSV and related software reviews are published online, and election results are already now published down to municipal level. The small additional measure of publishing data at the polling station level and introducing the data cross checks would greatly increase the overall security and integrity of the election results processing system. This would not only spare many poll workers additional working hours on election day, but would also avoid delaying the availability of first results and avoid the risk of introducing new mistakes through a completely new manual process.