Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
Conduct of the 2010 federal election and matters related thereto

CHAIR —Welcome. Do you have a copy of the submission that has been made?

Dr Teague —By me? Yes.

CHAIR —I may need a resolution that that be authorised to be received into evidence and authorised for publication. There being no objections, it is so ordered. You are not required to give evidence under oath, but the hearings are legal proceedings of the parliament and therefore have the same standing as proceedings of the respective houses. We appreciate your appearing before the committee. If you want to make an opening statement, feel free to do so at this stage.

Dr Teague —I will be very brief because you have seen my submission already. I have two levels of criticism of electronic voting. One is at the process level and one is at the technical level. At the process level I feel very strongly that the degree of transparency that is generally expected to apply to all of the other forms of voting should apply, if anything, more strongly to electronic voting as well. I feel that, if electronic voting is used, all the details of the system, including the source code, reports, physical security procedures and so on, should be made available to the public. That allows a clear discussion of the technological issues, which are really my main domain of expertise.

At a technological level a computer is just a machine executing a program written by people. Just because a computer is involved in taking the vote does not necessarily imply that the vote is recorded correctly, that it is transmitted correctly or that it remains private. There are all kinds of intentional or unintentional hardware or software errors, security vulnerabilities or whatever on a computer that could allow a vote to be cast that did not reflect what the voter wanted, that did not get transmitted properly or that did not keep the vote private. I feel that there has to be a rigorous technical discussion, if we are considering electronic voting, about exactly what security and privacy properties can be achieved.

I see four big issues that need to be addressed. One is vote verifiability, meaning whether the vote that gets recorded and transmitted actually is the vote that the voter asked for. Another is whether the privacy of the vote is maintained. Third is voter authentication—in this case I am talking about remote voting. Authenticating the voter is in the sense of making sure you know that the voter at the other end of the internet connection really is the eligible voter that you think they are. Fourth is demonstrating that the vote count is correct. If you take a big system like iVote, it takes in 47,000 votes and tells you at the end what they were. I feel that there needs to be a demonstration that they are clearly correct.

My aim in making this submission is to contribute to a rigorous technical discussion about what properties are or are not achieved by electronic voting.

CHAIR —Correct me if I am wrong, but I think that in the last parliament you also made a submission to the committee.

Dr Teague —Yes.

CHAIR —I think it was the situation that you were able to involve yourself with the Australian Electoral Commission at that time to view some of the options that they were looking at. Is my memory correct?

Dr Teague —Yes. After I appeared before the committee last time I was allowed to visit the Electoral Commission and see a demonstration of their system, but there was not any continuing engagement after that.

CHAIR —Did you submit anything to the commission as a result of viewing what they had?

Dr Teague —I submitted follow-up submissions to this inquiry about that conversation.

CHAIR —All right. I have read most of your submission—some of it I have skimmed. In your opening statement you were raising some concerns about privacy, integrity and transparency, and you listed a monologue of what might go wrong with computer votes. I am interested in whether there is evidence of that happening in any jurisdiction that you are aware of—or are those theoretical concerns that you are putting on the record?

Dr Teague —I have absolutely no evidence or reason to believe that anything went wrong with any particular trial that I know of. However, to me there is a big difference between a system like the paper system, which is designed to make it obvious that the right thing happened, and an electronic system that is not designed to make it clear that something went wrong. I feel that, with iVote in particular, for example, it is not designed to make it clear that something went wrong. The fact that you did not observe anything going wrong is not necessarily meaningful evidence that nothing went wrong. Sorry, that was not very well expressed.

CHAIR —No, I understand what you are saying. iVote was used for the first time in the New South Wales election, so obviously there is going to be an assessment of how successful it was. Were you here listening to the evidence of Robyn Gaile from Blind Citizens Australia?

Dr Teague —Yes.

CHAIR —She seemed to be quite supportive of that system as something that might be picked up by the Commonwealth in terms of future voting requirements. I am concerned that there be a system that does provide privacy, integrity and transparency.

Dr Teague —I agree. I think there are two questions. One is whether iVote is a good system. The other is: if you have the opportunity to design or specify a good system, what could you achieve? I feel that iVote achieves much less than could be achieved with a better designed system, but it is very hard to say anything concrete about it, because there are no publicly available technical details about it. I feel that a well designed, remote electronic system is not likely to be as secure as postal voting—for people who are able to fill in their own postal vote.

CHAIR —Which is part of the problem we have.

Dr Teague —Yes. I understand that there is a small fraction of voters like blind voters or Antarctic voters who are unable to fill in their own postal vote and who have to depend upon a person, at the moment, to cast their vote for them. I think that in that context it is reasonable to talk about a system in which they depend upon a computer instead of a person, but I do not think it is fair to necessarily assume that any kind of computerised design is going to be more private or more secure than depending upon a person.

CHAIR —I am interested in something going forward that is the best system that we can produce within reason. I am happy to produce a Rolls Royce system if someone can show us how to do it so it fits in with the people we are talking about and the Electoral Commission.

Dr Teague —Can you clarify the question a little bit? Are you asking me at a technical level what I think should be in such a system?

CHAIR —What you are saying, in effect, about iVote is that it has been a very secretive process, that you have not been able to drill into that process and have a look at it from these three angles of privacy, integrity and transparency. Also, as I understand it, there is the issue of ensuring that people’s wishes are actually carried through. I am concerned about that, because I am a great believer in each of those principles. But I understand there will be a report out of New South Wales, and we will be meeting with the New South Wales commissioner shortly in a private briefing where we will follow up on this. I take it that there is a situation for some of these things where there is a safeguarding of the technology.

Dr Teague —Yes, meaning the intellectual property interests of the vendor from whom—

CHAIR —The intellectual property? So this is not a conspiracy.

Dr Teague —No.

CHAIR —It is an argument about intellectual property. Systems are being shown to electoral commissioners, electoral commissioners are picking them up but not wanting—

Dr Teague —Right.

CHAIR —I would have thought that it is not only about intellectual property. I would have thought the less known about some of these systems the better, so that they are not hacked.

Dr Teague —I do not think that is true.

CHAIR —That is why I am asking the question.

Dr Teague  —I think there is a business reason for keeping them secret, which is that the vendor will be selling a similar kind of system to lots of other people and if the source code is open it makes it harder for them to protect their IP. The security argument is quite simply not true. They like to run the argument because they do not want to say, ‘We’re not going to give you electoral transparency because we would rather make cash by selling it to somebody else.’ That does not sound like a good argument, even though I think it is quite valid. It is fair enough. They run the security argument to make it sound like they have a better reason for keeping it secret than they really do.

If anything, I would say that transparency is good for security. I would say that the more people who get the opportunity to analyse the system, look at it and think carefully about it and try to find bugs in it before it actually runs, the better the probability of fixing it up before that happens. For example, I got the opportunity to look at some of the technical details of the system that was used in Victoria in the last state election and I was able to make some quite constructive, meaningful comments about it.

CHAIR —Which they took up?

Dr Teague —Which they took up, yes.

CHAIR —Let’s go to the Victorian system. I am interested if you could verbalise what your view is of the Victorian system, as you understand it. Is it an adequate system for what it is trying to cope with? Or is it a developing system?

Dr Teague —I have said to the electoral commission, and I will say it to you as well, that I feel strongly that that kind of system should print a piece of paper that the voter can look at and check whether or not it reflects their intentions.

CHAIR —How do you do that if they are at home?

Dr Teague —The Victorian system was not for people at home.

CHAIR —Can you explain it to us then?

Dr Teague —I do not think there is a good substitute for that process when people are voting at home, and I think that is one of the huge problems with electronic voting from home. I do not see a way of substituting that process. I have a couple of research papers about how you could engage in some very complicated protocols that would give you some confidence, but the truth is that those are not really usable things at the moment. The truth is that I think one of the big vulnerabilities of remote internet voting is in how you check that the vote that got sent on your behalf from your computer really matched what you asked the computer to do. I do not think there is a good solution at the moment.

CHAIR —But isn’t the transmission captured in some form at the moment so that at a subsequent time it can be checked, or isn’t it? Is it lost in the ether? I do not think it is, is it?

Dr Teague —If I understand iVote rightly, I think you get a little confirmation number at the time that you vote, and if you want to later you can look it up on a website and find out. You can query a website and say, ‘This is my tracking number—did you get my vote?’ But that does not necessarily prove that the vote was correctly transmitted from the computer.

CHAIR —But isn’t it the truth that there is no perfect system?

Dr Teague —I agree. It is true that there is no perfect system, which is why the technical details of the system really matter. For example, if we are talking about whether or not a certain system is an appropriate substitute for blind people who currently have to depend on a person, that is a very different question from the question of whether the same system is an appropriate substitute for ordinary postal voters who currently write out their own postal votes, precisely because none of the systems are perfect and it is a matter of comparison of the degree of privacy or integrity provided.

CHAIR —Are we better advanced, though, than where we were some years ago?

Dr Teague —No. In the sense of electronic voting?


Dr Teague —Again, I have only the haziest details about the technical details of iVote, but I do not see any reason to believe that at a technical level it is any better than, for example, the ADF system from 2007.

CHAIR —What about its ability to reach people that could not be reached before? I am saying that of the Victorian system as well.

Dr Teague —I guess that is a good question. You mean the—

CHAIR —The voters, the people participating.

Dr Teague —The Victorian system certainly—and I guess iVote as well. I understand. I agree. There is a good argument for reaching people who really would not have been able to vote independently before. In no way am I saying that it is a bad thing to provide a solution for visually impaired or motor impaired people or people who would otherwise have had to depend on somebody else. It is a good thing. There are two things I would say. Firstly, I think we should have a clear understanding of what solution is being provided to them. I heard the lady from the Royal Society for the Blind. She seemed to be very confident that, just because the vote was cast on a computer, that meant that she was voting independently and it was perfectly private. That is not necessarily true. So I think there should be correct technical information about what is being provided. Secondly, I think that there is a problem if we are providing a certain kind of solution to a group of people who would have been able to use whatever—some other system, postal voting or—

CHAIR —It is one of the reasons that, when we did the trials, we recommended against expanding them, because of the reach that they would have, the cost that it would have and, in a number of instances, there were already provisions under existing law for people to vote, so we were not going to provide a system that was rolled gold and expensive and not really necessary in terms of increasing the number of people who otherwise would not have been able to vote. That is why we have asked the commission to cooperate with various groups to see whether we can actually advance this in a way that is feasible. It would be good if we could get some results out of the most recent experiences in Victoria and New South Wales. I am interested in your observations. We will follow through on some of the queries that you have to make sure we can satisfy, hopefully, some of the questions that you have.

Dr Teague —My report on the Victorian system is going to go up on the VEC website, but it is not up there yet.

CHAIR —On balance, is it supportive of what happened in Victoria or against what happened in Victoria?

Dr Teague —It is technical. It contains a lot of detailed ‘An attacker with this degree of privilege could achieve this kind of attack’ kind of stuff.

Mr SOMLYAY —Did you make a submission to the Victorian electoral matters parliamentary committee?

Dr Teague —I did, but I was not asked to appear. I do not think they have restarted their inquiry after the most recent election.

Senator RYAN —I appreciate there is a whole electronic voting issue, particularly for those with physical impairment, but the proposal that is often put to us is about internet voting. I will start by admitting I am a romantic; I like pencil and paper.

Dr Teague —So do I.

Senator RYAN —It has unique verifiability but also public faith. So, thank you for your submission. In terms of what you are recommending from this point forward, say, for the AEC, I think we are getting some benefit from experimentation around the states. I am conscious of your comments with respect to whether there is an IP privacy issue as opposed to the public interest issue around having the knowledge shared out. Are you recommending a government agency effectively try and develop something or are you just commenting on what has been happening thus far?

Dr Teague —I think that is one way for it to be done, assuming that the government agency was willing to make this source code and other documentation open. I also think it is quite possible to make openness a condition of the tender.

Senator RYAN —I appreciate you can do that.

Dr Teague —The Norwegian government recently instituted an electronic voting project. They bought it from the private vendor but they insisted that the source code be—

—I understand that. My concern is that governments do not have a great record with building IT systems, but I appreciate that we can tender in that way. Thank you.

CHAIR —Dr Teague, thanks for your submission. The quality of your evidence is such that we will follow through on some of the matters that you have raised because they are deserving of clarification and they are deserving of answers. If there is something that does arise and you want to make further submissions in this area, please feel free to do so. The committee in all probability will be reporting at the end of June. That is the time frame that we are looking at. You will get a transcript of the evidence from today and you can make any corrections you need to make.

Dr Teague —Thank you.

[12.34 pm]