[In January 2011 ORG Advisory Council member Keith Mitchell attended a system demonstration of the e-counting setup proposed for the 2012 Scottish local elections. Here is his report...]
All the staff present from the Scottish Government, Opt2Vote and Logica were friendly and helpful, seemed to believe in what they were doing, and presented themselves as wanting to be transparent and open to us about it all. From their reactions, ORG's reputation clearly preceded me!
I was the only civil society/activist observer at the demo, which was for about a dozen people who were mainly returning officers or other election workers within the 32 local authorities across Scotland. They are running these demo sessions 3-4 times every Friday over a period for 4 weeks.
There's a number of phases to the trials:
They stated that the system had been validated to the "WIG-STV" standard by the Laboratory for Quality Software "LaQuSo" in the Netherlands, for what it's worth.
The actual counting process consists of 4 stages, with a group of workstations and workers set up for each:
At any point in the process, if scrutiny of an actual paper is required, it is possible to identify where in which tray it is, and manually retrieve the paper for inspection. Otherwise after scanning, at the Adjudication and Returning Officer stages they are dealing with scanned images of both sides of the paper.
Papers are submitted and processed in trays of several hundred. Each ballot paper had a unique scannable ID, and each tray had a barcode ID which was scanned at various stages of the counting process. Various shelves were setup for staging the trays of papers between each step.
The scanners can cope with ballot papers greater than A4 size, in any orientation. Although all the demos and trials showed clean unfolded papers in the same orientation, they said that the system could cope with folded papers, and implied they had some experience with these, but that they may ask for the papers unfolded. This is important given the large size of the STV papers, as they expect that in the Highlands & Islands as much as 20% of the papers could be coming in by postal vote and hence potentially folded.
They said they had several years of good experience with these particular scanner models, and that jam/mis-feed problems were not a significant issue, it was just a matter of performing routine cleaning/maintenance on the scanners. I asked if the scanners could scan in colour, they had clearly not thought about this question but believed that they could.
The system consisted of various groups of off-the-shelf HP PCs running Windows XP, plus a server, together with Canon DR-7550C commercial-grade document scanners (connected to the PCs via USB), and various arrangements for screens which allowed both touch input and multiple screens per PC to make scrutiny easier. The workstation/server connections were via a standard HP Procurve ethernet switch, not connected to the outside world, but with a number of unused open ports.
I asked if the network traffic between the workstations and servers was encrypted on the wire, and/or if there were other crypto-based authorization taking place. They said the traffic was not encrypted, and it sounded like the authentication/authorization uses standard Windows mechanisms. They said there were also a number of network-management based approaches (I am assuming via MAC/VLAN/DHCP/IP-type monitoring/filtering) to ensure that unauthorized stations could not join the network to perform any kind of man-in-the-middle attack, and got the impression these measures were under ongoing development.
The PCs had various open peripheral ports on them - they volunteered before I even asked that the unused ports were disabled in software via some kind of operating-system level registry lock-down. However, they also had standard optical drives, and I was able to open these just by pushing the eject button. I don't know enough about Windows to be able to say how robust/effective this lock-down is.
I asked how they verified the correctness of the software being run on the PCs - they said they were all clean installed from a standard software setup during the count network build-out, and that some kind of hash-key verification was done at this stage. I was unable to verify if the validation was across the OS install and/or application or the whole thing, or the cryptographic strength of the verification.
There did not appear to be any further validation beyond set-up point of the software ("it can't be tampered with after this"), as far as I understood it the whole model is one of a "clean room" approach, where all the equipment and material is kept under lock and key from build-out to the end of the count, except when the actual counting work is being done, during which everything, including what's on all the screens and who's doing what which any equipment is open to scrutiny from all interested parties.
There wasn't a lot to photograph, but they were happy for me to do so
here's what I took: