Skip to main content
Normal View

JOINT COMMITTEE ON ENVIRONMENT AND LOCAL GOVERNMENT debate -
Thursday, 18 Dec 2003

Vol. 1 No. 20

Electronic Voting: Presentation.

We now come to the substantive part of today's agenda, namely, the discussion on electronic voting. I welcome the witnesses to the meeting, including the Secretary General from the Department of the Environment, Heritage and Local Government, Mr. Niall Callan and his officials. They are accompanied by representatives of the different companies involved in the introduction of electronic voting, namely, Groenendaal, Nedap and Nathean Technologies. I also welcome Mr. Joe McCarthy, who has forwarded a report to the committee outlining his concerns on this matter; Ms Margaret McGaley and Mr. Robert Coughlan who met with the committee last week and have agreed to meet with us again.

Last week's meeting highlighted a number of concerns. We will hear short presentations from the Secretary General and Mr. McCarthy, neither of whom addressed the committee last week, before concentrating on a question and answer session between members and witnesses.

I remind witnesses that while members of the committee have absolute privilege, this does not apply to witnesses appearing before the committee. Members are reminded of the long-standing parliamentary practice where members should not comment on, criticise or make charges against a person outside the Houses, or an official by name or in such a way as to make him or her identifiable.

Mr. Niall Callan

I thank the committee for the opportunity to meet with it and discuss the issue of electronic voting. I am accompanied by Mr. Tom Corcoran, head of the local government and franchise division, and Mr. Peter Greene, head of the franchise section.

As requested by the committee, the Department is pleased to bring to the meeting some of the key experts involved in the development and testing of the Nedap-Powervote system for Irish election purposes. I would like to introduce Jan Groenendaal, managing director of Groenendaal BV, the systems and software developers; John Pugh, chief technical officer, Nathean Technologies, the Irish firm that has undertaken the architectural and code reviews of the software system; and Henk Steentjes, chief technical officer of Nedap, the Dutch company that manufactures the voting machines. We have other experts in reserve such as Joe Wadsworth of the Electoral Reform Society, based in Britain, who has undertaken testing of the counting functions and is also available to speak to the committee.

Before placing these experts at the committee's disposal, I would like to make some brief general comments to bridge between the Minister's presentation and the discussions with the committee on 25 November 2003 and today's session. In line with the 2001 legislation enabling electronic voting, the Department has been working hard to implement the mandate from Government to develop an electronic management system for Irish elections. The fundamental purpose of the initiative is to improve the efficiency, speed, accuracy and user-friendliness of Irish elections and to eliminate the democratic wastage associated with spoilt votes. More than 20,000 spoiled votes were registered at the 2002 general election, equivalent to 1.1% of all votes cast.

It is about more than just improving the technology. Modernising and transforming elections in a visible way will tackle voter apathy and improve the image of elections, especially for an increasingly young electorate. The Department's mandate was to complete this change process as quickly as possible. This presents many challenges for us and our partners in the process. However, in the Government's thinking, it secures earlier delivery and availability to the people of the benefits of electronic voting. Given the cycle of the various elections, the alternative would be to delay these benefits for several more years. This approach made it important for the Department to procure an electronic voting system of proven and robust performance. We did not consider it sensible to pursue a policy of designing and developing an entirely new system.

In the event, the procurement process identified Nedap-Powervote as the best system to apply to Irish elections. This system came with its own proprietary hardware and software. The count function is not based on a PC and I will raise this important issue later. More important, the Nedap-Powervote system enjoys the proven advantage of widespread and successful use at national and local elections in the Netherlands over many years and it has been more recently employed in some German municipal elections. This successful operation in practice, in some of the most sophisticated societies in the world, is the most worthwhile possible test of reliability.

The new voting system was extensively piloted at the 2002 general election and the second Nice referendum, in which more than 270,000 voters used the system. The reaction of users has been overwhelmingly positive. Neither has any candidate or voter in the constituencies covered by electronic voting raised questions about the fairness or integrity of the process or made a significant complaint or challenge to the Department. All best technologies embrace the principle of continuous improvement. The Department and its partners are committed to the continuous improvement of the electronic voting system. We are working on changes for the presentation of results; we have modified the voting machines to make them more user friendly and accessible, and we have subjected, and continue to do so, the system software and hardware to rigorous testing by a range of independent agencies.

The Department will pursue this approach of continuous improvement between now and June 2004 and beyond that. We do not see this as any admission of weakness. The electronic voting system already meets high and satisfactory standards of performance. However, best practice means that we should not rest on our laurels and that we should add to margins of safety and reliability.

Coinciding with the transition to full use countrywide of electronic voting, concerns have been more explicitly raised about the security and verifiability of the system. We want to deal fully with these concerns today. My expert colleagues will explain various aspects of the system validation with which they have been involved. I will comment on a more general level on some key issues. The argument is now being made that the electronic system is not adequately validated in terms of its ability to store and count votes securely and that a separate paper record needs to be created to provide this validation. The Department does not accept these arguments. The independent testing of the system fully addresses the issue of the machine responding accurately to and storing touch-button commands. The counting function has been rigorously tested. The machine is programmed to shut down instantly in the unlikely event of any error being detected. The system is also designed to provide a full record of all individual votes cast following the election.

The idea that an electronic system can be well validated by a paper receipting process is highly problematic and creates many practical difficulties. It involves a dual system in which constant confusion will obtain as to whether the electronic data or the paper trail represents the validly cast vote. It is also dependent on the perfect functioning of a printer. For these and other reasons, only a very small minority of electronic voting systems worldwide have incorporated a paper receipting function.

Issues have also been raised by the committee about making the source code for the election management system generally available. The Department's primary concern at this stage is to guarantee and deliver to the public a system that is reliable and trustworthy. From this perspective, whether to make available the source code to third parties is a secondary issue. The Department will not be in a position to consider acquiring full rights to the code until October 2004 when the system, including a module to cover the presidential election, will have been fully completed. The Minister has said that at that stage he will address all issues regarding the public interest in permitting wider access to the source code. We understand that different views on this matter have already been expressed to the committee.

We should not forget the considerable imperfections of the old paper ballot system. This typically wasted more than 1% of votes cast through spoilt votes and more than that at multiple polls such as the one planned for June 2004. Therefore, the feeling of assurance and validation which some claim for the paper ballot process was illusory, for some voters at least. The manual count was also subject to errors and risks. For all these reasons the Department is confident that the electronic system will provide an easier, quicker, more accessible and more accurate voting system. Our experts will be available to clarify other issues for the committee.

I thank the Secretary General. As there is a vote in the Dáil Chamber we must leave in three or four minutes, but Mr. McCarthy might introduce himself in the meantime.

For the past 17 years I have had an interest in elections, but I have been a computer professional for the past 30 years or more. I used to work for IBM and now I run my own network consulting company. I have professional qualifications which allow me to speak on matters of IT and practical experience which allows me to speak on matters relating to vote counting - I have been an agent or sub-agent at every election, general and local, since 1987. I set about trying to find out about electronic voting in October 2002 by seeking information from the Department under the Freedom of Information Act and after quite some time I received some of the material I have in front of me, on which I am basing my opinion. I do not have full knowledge of the system - in particular, I do not have access to the technical documentation or the source codes.

I have 40 questions to put forward, some of which are very technical and may be beyond the compass of most of the members present but should be answered by the technical experts. Some are quite unusual and esoteric - one of them deals with cosmic rays. The computer systems to be used for electronic voting are subject to the influence of cosmic rays once a day on average, taking into account the number of machines. Good practice would result in good management of these matters, which seems to be the case for the Nedap machine but not for the counting machine. There are also various roles, to which I must draw the attention of the members, for us as part of our responsibility for this system. I will identify five major issues.

Sitting suspended at 10.55 a.m. and resumed at 11.41 a.m.

We will resume our business. I am sorry for the delay, but there were a number of votes. The Clerk to the Committee said there were no rows in our absence, so the spirit of goodwill prevails. We will allow Mr. McCarthy continue with his presentation.

I emphasise that the views I express are my own. I am not a member of a political party or of any lobby group. I have developed these opinions from the materials I was able to retrieve from the Department.

A list has been circulated of some 40 questions that I would wish to have addressed. I will mention the various roles of the citizens of Ireland. The people own the Constitution and have set up these institutions through the Oireachtas. The Minister and his Department implement the legislation. On the ground, the returning officers and presiding officers in the polling stations conduct the elections formally and statutorily. That has been the case since the State was established. We are now about to move to a new set of equipment and software where the roles are extended to the hardware and software manufacturers. There are issues surrounding hardware. The software developer is of particular note where the statutory count rules are implemented. Then come the testers and reviewers and to some extent certifiers. As we will see, the certification process is a little weak.

I have noted these points in the material supplied, showing that the Constitution and the electoral Acts are formal. We have to abide by them. They produce statutory rules which originally were solely in the hands of the returning officers but which will now be in the hands of voting machinery which is designed according to a specification issued by the Department, principally called the Count Rules and Commentary, a single document. This has been modified as this development has gone on. The voting machine and software are developed by Nedap in Holland, and the IES count PC is, as I understand it, subject to Mr. Callan's comments that it might be different, a normal PC, running specialised software developed by Groenendaal. My concerns are: who owns these various roles and who is allowed to change them, and under what control? Who designs them, tests them and operates them? There are quite a few new roles defined here which I would like to illustrate. The names in yellow boxes on the document supplied are those of the various owners, as I understand it. The Department owns the Count Rules and Commentary.

Owning is an interesting concept. The machinery is owned in due course by the returning officer, but the design is owned by Nedap, as is the software in the case of the voting machine. It is surveyed and certified by Kema, TNO and PTB, two of which companies are in Holland, I think, and one in Germany. On the software side, the Groenendaal Bureau writes the software we are most concerned about here. It is tested in a black box manner by the Electoral Reform Society in the UK. It is code-reviewed, but not tested, by Nathean Technologies in Dublin. We therefore have four Dutch companies, one German, two UK companies and a single Irish company assisting us in implementing the statutory rules necessary to run elections in Ireland.

The issues I am most concerned with are the documentation and testing. In my request to the Department I sought the systems design specification for the counting system. That was my original request. It was all I focused on because I am familiar with counting. I like the counting process and I understand it very well. Part 19 of the Electoral Act 1992 is engraved in my mind because I have had need to argue it from time to time with returning officers and fellow agents. It will be implemented in software, something with which I am very familiar. I wanted to see the test plan and the design plan. The Department responded quite correctly that it did not have that documentation. It still has not got it, after five requests under the Freedom of Information Act, two internal reviews and one appeal to the Information Commissioner. The principal reason the Department has not got the essential documentation is that it has not got a contract with the provider, and therefore section 6(9) of the Freedom of Information Act, which would allow it to retrieve those records, is not operative. I have appealed this to the Information Commissioner and the appeal continues. I submitted the appeal on 22 April but a decision has not yet been given.

There are other technical issues involving this system, in particular the use of the Microsoft Access database to hold the votes. Nobody in his or her right mind uses Microsoft Access for a critical system, and I will show formal opinion from Microsoft to that effect. We are concerned about the integrity of the vote. This matter has exercised us all. How can we ensure that the vote is safe? Typically in modern systems, whether they are gambling, financial or voting systems, we should provide for the integrity of each record with a MAC - a message authentication code - such as is used universally in systems in Dublin for e-top up vouchers, ATM withdrawals and for national lottery wagering transactions.

I mentioned cosmic rays. These are an interesting natural phenomenon that cause errors in large populations of computers. It is a verifiable condition, well understood in the literature. The best example here is a Counting PC in Schaerbeek in Belgium, which on 18 May this year credited one candidate with more votes than on his party's list - an impossibility. The votes were counted next day and it was discovered that the candidate had 4,096 votes too many. This count was formally done by the manufacturers, the Ministry of the Interior and the president of the canton. The conclusion was that a cosmic ray had flipped a bit and caused the extra votes. Such things happen and we must take them into account. To be fair, the Nedap design has taken it into account very well, but there is no evidence that it has been taken into account in the counting system.

As power failures occur all the time, there is considerable evidence in the material I have looked at that power failures are beginning to exercise the technologists in the Department as to what happens between the moment the yellow vote button is pressed and one's voting preferences move through the machinery before landing in the memory. That takes a few hundred milli-seconds, and things happen as the power fails. It is a very interesting exercise to figure out where the ballot is during that process. We need the integrity of the machine to handle that.

Those are the major issues I am worried about. My professional concerns revolving around the development of the environment are that the software in use is being re-released every three weeks. We have had 40 releases since January of last year. The releases being tested by ERS are already out of date. I do not know which particular release Nathean has most recently reviewed. It last reviewed version No. 111 and the draft report for that was refused to me. I appealed the decision and the deciding officer said I could have it on 31 December 2003. I have not got it yet, so I am in a position of some ignorance. I will be delighted to stand corrected by the Department and its officials on my lack of knowledge. I am suffering from a severe lack of knowledge regarding this matter. Yesterday I spent three hours reviewing Department files and it seems from the information I read that ERS has not tested the European ballot module. There is no evidence that it has tested the European vote, a very large vote, with 400,000 or 500,000 votes in each count. That is a heavy-duty load on a PC. It may be more than the ERS testing system can handle. I do not know. There is no evidence.

Up to a couple of days ago, Dutch code and messages were still being produced by the system. That is a serious concern for the understanding that we might have of the Dutch code being written by Groenendaal.

There is a major concern about how the returning officers will run these complex systems. They will need IT support, and concern has been expressed about how the officers will do the work. They primarily work in county court houses and elsewhere around the country where the PCs are on LANs. They might put the software on the LANs and the software might leak. That and other matters are of concern to the Department but I cannot see the formal solution.

Mr. Callan referred to the most worrying issue. The continuous improvement that he suggests is not evident to me in that currently it has not yet been proven to work in the first instance, before any improvement. The timetable which Groenendaal had hoped to meet was that the software would be developed by the end of April for testing in May and June by ERS and reviewed by Nathean. That has not happened, however. It is still in test as of a couple of weeks ago. It may have finished in the past few days, but as of a couple of weeks ago, ERS was still testing it - six months afterwards. I do not like the fact that there is no formal Chinese wall between the developers and the testers. The representatives of the testers in the UK were sending change requests directly to the developers, who were implementing the changes and there is evidence in the files that the project manager in the Department of the Environment, Heritage and Local Government is attempting to corral these frequent changes so that he will have a stable position to offer to Nathean for its review. In other words, changes are happening willy-nilly.

My concern is whether or not this is a safe system. In my professional opinion it is not. The other query I have is: who decides whether it is or not? It is the committee's role to adjudicate on this as the representatives of the Oireachtas and then tell the Department of the Environment, Heritage and Local Government how formal procedures are to be put in place to do the testing and the checking. There is no evidence of any formality in the procedures. The question as to who decides our votes and who decides the system that will count our votes rests with the committee.

Inadvertently or otherwise the committee has started on the process of examining this system and attempting to reach a conclusion on that. Therefore, a major responsibility will rest on this committee if, God forbid, anything goes wrong with the system. Just to clarify the position, I would like to know at this stage whether we are closing the gate after the horse has bolted. Has the contract for the system been awarded? It would be useful for us to know that because it might have an influence on matters down the line. The committee is not on a witch-hunt. Members are anxious to be able to say with confidence to the general public that this system is the way to go. It is difficult for professional people such as the witnesses before the committee today to have the concept of how little confidence the general public has in anything that is politically driven. I am not referring to any political party. It is only as a practising politician that one fully realises the level of distrust among the general public towards anything politicians do. I will not go into the causes for that, but they are obvious. Therefore, we have a difficult task in convincing the public that our decision is the right one.

Mr. Callan said only a small minority, worldwide, has the paper trail. That means the paper trail is possible if a small minority, whatever it is, has a paper trail. There would be much more confidence in the ability to check this system if there was a paper trail. Why cannot we have a paper trail so that it would boost our confidence in the end result, rather than having any doubt over it?

Finally, and this is not clear to me - and I asked about it the last day also - up to now the voting system provided for presiding officers and poll clerks in each polling station. Some of those were elderly ladies and gentlemen. Given the high levels of employment it was often difficult for returning officers to get presiding officers and poll clerks. Will they be replaced by people with different qualifications? Will the presiding officer be a person responsible in the polling booth all the time for voting on the day, whether by electronic or manual means? Is a new type of person to be recruited nationwide to be a presiding officer and a new type of person to be a poll clerk, because in the latter case someone will have to record the people who have voted? How are those people to be trained in the new technology? What happens if there is a breakdown in the technology and the presiding officer cannot correct it because of his lack of technical knowledge and an expert has to be called in? Who will decide what that expert is doing when he or she is attending to the breakdown? It is too vague to say: "Let us carry on as we are." At the last committee meeting members asked that all negotiations about contracts should be stalled before we come to a conclusion. I am anxious to know where the matter now stands. Perhaps I can put some other technical questions afterwards for others.

Most of those questions were directed at Mr. Callan, so he might like to reply. He might also give the committee some indication as regards the contracts or commitments he has entered into on the introduction of electronic voting.

Mr. Callan

I am pleased to do that. Effectively, there is a contract with our suppliers for the provision of the 7,000 or so voting machines required to roll out the system countrywide for June 2004. The main contract is still awaiting signature, but I have said that the effective position is that the commitment is there.

How does that operate? What sort of arrangement did the Department of the Environment, Heritage and Local Government enter into?

Mr. Callan

A letter of intent was issued last January from the Department of the Environment, Heritage and Local Government to the main suppliers. The final legalities of a contract have been sorted out and are ready for sign-off by both sides to the agreement. There would be difficulty if the Department were to withdraw, or to seek to withdraw, from the position it stated in its letter of intent last January, even though the formal signature of the contract has not yet been executed.

On some of the other points raised by Deputy McCormack, on the issue of the public's confidence or otherwise in the handling of elections in Ireland, it is the position since the foundation of the State that duties under the legislation pertaining to Irish elections are generally vested in the Minister for the Environment, Heritage and Local Government. The Department on a day-to-day basis carries those responsibilities. Mr. McCarthy is right in saying the Department is not usually in a position to run elections, but it provides the legal framework and guidance to all the statutorily deputed people at local level as to how they perform their functions. In recent years a number of functions as regards the electoral process have been hived off to statutory commissions. The Standards in Public Office Commission exercises a certain monitoring of the electoral process. The Constituency Commission is a statutory independent entity that deals with the preparation of new constituency boundaries. The Department of the Environment, Heritage and Local Government still carries executive responsibility for many of the systems and much of the co-ordination and support to local authorities and returning officers that is necessary for the good conduct of elections. As long as those functions are vested in the Department, we carry them to the utmost of our ability. If it is the wish of the Legislature to assign them to an independent entity, so be it; that will happen in its own time. We have to discharge our duties well and urgently.

Deputy McCormack again made a plea for the paper trail and I have set out the Department's honest judgment on this issue. It is felt in the Department that the paper trail will generate endless confusion because it will not be clear ultimately whether the electronically registered vote or its paper counterpart is the validly cast vote. I mentioned that only a small minority of electoral authorities worldwide which use electronic voting have adopted a paper trail. This illustrates that the presumption in the context of electronic voting is against the use of the paper trail. It is certainly a presumption that is manifest in the behaviour and the decisions adopted by those who are charged with the running of elections in all kinds of places over the world.

Deputy McCormack asked also about the capacity of presiding officers and poll clerks to deal with the new system. An essential part of the preparations already under way in the Department is the training of staff from local authorities and the registration authorities. As we move closer to the election we already have courses in preparation involving the Department and the IPA, which will brief these people very fully on their duties. There will be no fixing of the machine in polling station locations by anybody. The machines will be brought back securely to counting centres under the control of the returning officer.

My experts may wish to respond later to the points made in Mr. McCarthy's presentation, but I am under the guidance of the Chairman as to how to structure those responses. Perhaps other members may wish to speak first.

We will take a few more questions and then later the Secretary General may give a general reply. We will deal directly with the questions as posed. We ask members to address the questions to whomever he chooses. Should Ms McGaley wish to make a general comment later that will be permitted.

The members of the committee will have ample opportunity to discuss these issues. What I would like to hear today is an exchange of views between the various experts who are assisting the Department and the people who have given their opinion to the committee. Mr. McCarthy queries the reliability of the software, the counting system and the issue of the paper trail. It would be informative for the committee to listen to the exchange betwen people who understand this business

The committee system does not allow for the type of exchange advocated by the Deputy. We decided on a question and answer session. It is about, as Deputy John Bruton once stated, asking the right question. I cannot see other ways of proceeding other than the question and answer session as we agreed on last week.

In that case Chairman, let us hear from the manufacturers of the machines and its software on the points raised by Mr. McCarthy. Is it the case that this has not yet been tested for the European elections? What is the response to Mr. McCarthy's point that nobody in his right mind would use Microsoft Access for a critical system? We did not deal with what would happen in the event of a power failure. If somebody is in the process of voting and the power fails, has he voted or not? How does one check that? In particular, how does the presiding officer at the polling station deal with it? If somebody enters his or her vote and then the power goes off, it comes back on five minutes later, does the presiding officer given him or her another vote? How does the presiding officer check whether the vote has registered on the system?

Does Mr. Callan wish to reply to that?

Mr. Callan

Chairman, I gladly invite our experts to respond to Deputy Gilmore. I will respond to the query on the European constituency counting rules because in a sense the Department is the custodian of the legislation involved. No testing has been carried out on the European constituency counting rules, because the rules are exactly the same as the Dáil counting rules, which have been assiduously tested. It would be duplication as we are talking about the same issue. We have been in test mode with the Dáil counting rules and there is no difference between them.

The trials on elections have been done in three constituencies with a total poll of approximately 60,000.

Mr. Callan

We are talking about the application of the counting rules. The logic of the counting rules is exactly the same. Our experts will answer the database issue and whether the system has the capacity to deal with bigger numbers. On the question of Microsoft Access, the PCs that will be used for counting will be security hardened and not networked in any way. Our experts will explain more on that. I will let the experts deal also with the power failure issue. Mr. Henk Steentjes will address some of these issues.

Mr. Henk Steentjes

On the question of what happens if there is a power failure in a polling station, the moment the voter casts his vote on the electronic voting machine or the ballot paper is going into memory, storage of the vote is done in a fast memory inside the machine. It completes the vote storage when power comes back on or a battery is attached to the machine. When the power comes back on again, the power storage in the module with all the securities involved is resumed and all checks are carried out to confirm that all vote storage was according to the rules. The presiding officer can easily see if the number of voters on the control panel display has increased, so he or she can easily see if the votes have been counted. If the power failure occurs before the voter presses the "cast vote" button, then the vote is not stored. That is also easily seen when the power comes back on because the number of voters, which is indicated on the control panel, will not have increased by one. That is the way we deal with this and it is a good and secure way.

Mr. John Pugh

We are happy that, with the security protocols that have been put in place around the system and its implementation, the Microsoft Access database is secure. We have subjected the database to tests and we are quite happy it can handle the level of data that is required.

Mr. Callan

The point deserves to be made that we will use Microsoft Access in stand-alone, security-hardened PCs, which are not networked or connected to any other system in any way.

Following what Deputy Gilmore said earlier, if we keep asking questions and the ten witnesses keep answering them, we will not get anywhere because we are not the experts. Some of the experts are on the lower benches and they should ask the technical questions that we are unable to ask.

They could at least comment on what we have been told.

Deputies can direct their questions. We had some of these experts with us last week and they raised concerns. There may be concerns of a technical nature but we have a fair grasp of what they are. If members wish to ask such questions or express those concerns, they should feel free to do so. We will proceed with a question and answer session.

We are not trying to obtain a technical assessment before buying a new car; we are talking about the validity of the democratic process, which is a very serious issue. The procedures are seriously flawed if the experts who have been invited here are not allowed to interact. I have reservations about the way in which we are doing our business. There should be an interaction between both lists of experts.

I must apologise, Chairman, that I was absent for much of the session, because I had to attend to business in the Dáil Chamber and a vote prevented me from returning to the committee earlier. I understand, however, that a question was asked about the status of the contract for purchasing the machines, which has not yet been signed. I do not think a question was asked about the status of the other moneys that have been allocated - for example, the public information contract for €4.5 million or €5 million that was entered into just a day before the Minister was asked to appear before the committee.

While I did not hear the question, I heard the answer about the verifiable paper audit trail but I am not convinced or impressed by the answer. Any system is flawed that lacks a facility to inform that it is allowing me to vote for candidate A if I press a button to vote for that candidate. Any system that does not have a paper trail is similarly flawed and I do not see any problem regarding voter confidentiality or confusion in this regard. The refusal to introduce a verifiable paper audit trail is based on penny-pinching over costs, rather than ensuring that the system is secure. I would also like to hear about the source code.

There are 41 questions that I have not yet read from Mr. McCarthy but each of them should elicit a written response. Until that happens, the whole mechanism should be put on ice. The headlong rush into introducing this system by June 2004 is indecent and unsafe. It involves the expenditure of massive amounts of taxpayers' money in a system that has not been approved by the committee. There has been little consultation about the issue, which has been pushed by the political head of a Department who is the director of elections for one party. That is democratically unsound. There may be a legal justification for the Department doing this but the matter should be swiftly reviewed. In the absence of answers to these questions and without a proper forum for a real exchange of opinion between experts on both sides, the Minister should state that nothing will happen next June until all the reservations and questions have been answered to everybody's satisfaction.

There are parties here that are representing many people who still have serious reservations. It is wrong for any democratic country to push through such a system about which some of the participants are unhappy. It flies in the face of democracy. I am asking the Secretary General of the Department to recommend to the Minster to put the new system on ice until such time as everybody's questions and reservations have been satisfactorily dealt with.

I am reluctant to interrupt the Deputy but that is exactly what we have decided. Last week we wrote to the Minister and asked him to indicate what contracts had been entered into. We also asked that no further commitments should be made until the committee has concluded its investigation. The Deputy used the word "experts" on a number of occasions, although I am not sure if the people concerned would call themselves experts or not.

They are more expert than I am.

We have to be fair and say that there are experts on both sides who have different opinions. Mr. McCarthy came in here with approximately 40 questions to which the Deputy wants instant replies.

No, I asked for written responses.

The Deputy does not want us to proceed with the matter until such time as those questions have been answered. It is a really tall order to seek instant responses like that. The purpose of the meeting today is to ask pertinent questions of the experts on both sides and following that process we will decide how we should proceed. There is no point in going back over what we discussed at the last meeting, which was the same thing.

I asked for a written response to the questions put.

If we confined the questions it would be more helpful to us all.

The artificial barrier that is between the four people at one end of the room and the six people at the other end should be eliminated so that there can be an interaction.

We can overcome that because I want to ask

I am sorry but Deputy Cuffe is next.

When I get a chance, I want to ask Ms McGaley a question.

That is fine, you can do that.

There is a touch of Kafka to our deliberations this morning, including the method of questioning. I find it quite bizarre that we cannot ask the experts to quiz those in charge of the system. Having said that, the words "paper trail" have a deep resonance for all of us on the committee because they reflect tangibility. Do the experts from the Department not accept that there is strength in a paper trail? All of us with experience of elections are familiar with what ten, 1,000 or 10,000 votes look like. They are tangible and visible. Do the departmental experts not accept there is a huge difference between that and a single Microsoft Access file? Do they not accept that the possibility of interference with a computer file is completely different from the possibility of interference with a ballot paper? Are they not concerned about that issue?

The principle of double-entry book-keeping operates in the banking sector, so that the financial institution has a record and so does the individual account holder. If there is a difficulty it can be reconciled by examining both entries. Do the departmental representatives not accept that this principle is a good one that should be applied to the most important aspect of the democratic process, which is the issue of voting? I cannot understand why the principle of a verifiable record cannot be applied.

The third issue relates to technology. I receive a dozen e-mails every morning containing patches that I should attach to my hard drive. If I push the wrong button, I can do untold damage to my files. Does Mr. Callan accept something similar could happen to the technology he is using?

Reference was made at last week's meeting to a wireless card that can accept data in a stand-alone PC and transform it. Mr. Callan said precautions are taken. Presumably, all the ports are sealed and it is not possible to transfer the data. However, I am aware of the amount of data I can hold on a small USB card on my key ring. Perhaps I am a Luddite but there are concerns about how a small change can have enormous consequences. There is a tangibility to the paper ballot, to which we are accustomed.

My questions relate to the paper trail, the principle of a verifiable record and technology. I would welcome the Department's thoughts on them.

Ms Margaret McGaley

Paper is completely different to electronic records. It is visible, tangible and, even if it goes into a box, it does not change. When I press the "cast vote" button on an electronic voting machine, I have no idea what is going on inside the machine. It does not matter how many experts give me assurances and how many institutes have tested it. When I press the "cast vote" button, I lose sight of my vote completely. When I mark a paper ballot and insert it in a box, I may not watch as it is transferred through the system but somebody is watching. Several independent people are watching the box as it is transported to the count centre and, therefore, I know my paper ballot exists until it gets to the centre and is counted. I want the same assurances from other voting systems that there is tangible evidence of my vote when it comes to counting.

The paper ballots are valid rather than the electronic ballots because that is why they exist. The paper ballot is the official record of votes cast. Whenever there is a recount, paper ballots are used and spot checks are used to confirm electronic results. A minimum number of constituencies will be spot-checked every time it is used.

Mr. Callan

I refer to Deputy Allen's questions. The Department had not entered into contractual commitments since receipt of the committee's letter last week and the Minister will shortly, following today's discussions and consultation with his officials, issue a reply to the committee on the matter. I do not wish to pre-empt his reply. I have, however, explained there is a substantial commitment, if not finally legally disposed of, in regard to the purchase of the electronic voting machines. The Department cannot, in prospect of the elections in June 2004, put things on hold indefinitely. We would be delighted to respond to all 40 of Mr. McCarthy's questions within the briefest interval and continue dialogue with all those who wish to gain a better appreciation and assurance about how the system will run. However, in terms of the need to gear up on training and the issuance of administrative and security protocols to local authorities, we have an executive duty and responsibility under legislation to get on with the preparations for the elections and we cannot compromise ourselves on the statutory duty.

On Deputy Cuffe's points, the Department does not accept the paper-based system is the gold standard against which we should compare other electoral management systems. The paper-based system was responsible for wastage of 1.1% of all votes at the last general election. In the worst case in one constituency, out of more than 60,000 votes cast, more than 1,000 were spoiled and the last seat in the constituency was won by approximately 80 votes. Inefficiencies and inaccuracies are inherent in the paper-based system, which has been running since the foundation of the State. These are compounded by inefficiencies and errors that we cannot accurately quantify in the manual counting process.

The purpose of the electronic voting initiative is to minimise such inefficiencies and to improve the system. That is a significant democratic loss and it has become worse in our experience of multiple polls such as those we face next June. The history of elections demonstrates that where elections are run together the rate of spoiled votes increases. These are not protest votes in the main. The Department's analysis of local election votes estimates that more than 90% of spoiled votes result from inadvertent error and so on. That is the major improvement we are trying to bring to the system and we believe it is a serious matter that the paper-based system is as prone to error as it is manifestly.

On the question of double entry accountancy or the principle of paper-based verification of what is done in the ballot, that has never been adopted under domestic electoral legislation. The principle is not accepted in the present system of voting. When a person casts his or her vote, he or she has no means of checking the vote again. No court has ever ordered that a vote should be produced and in the scheme of things that is impossible. When my vote is mixed with several thousand other votes, how could anybody establish that a ballot contains my vote and on whose say so would they——

One can see the ballot paper going into the box which is sealed and protected until the votes are emptied on the counter.

Mr. Callan

As the incidence of spoiled votes shows, it is possible that in lodging my vote in the ballot box that I have made a mistake and that I have not given my second preference to the person I intended. For example, I may not have my glasses on and the vote does not correspond with my intention. Receipts are not given to people. There is no way of taking an individual's vote out of the ballot box again and linking it with him or her.

Nobody wants that.

Mr. Callan

That is the verification. In what sense does the present paper-based system offer verification or assurance to the individual voter?

The verification is that the voter can see it and put it in the box himself or herself.

Mr. Robert Cochran

This is linked to a question the Deputy raised earlier on the initial presentation by the Secretary General on the history elsewhere in this area. It is correct that few, if any, VVAT systems are in place world-wide. There are relatively few electronic systems in place and the issue has not arisen. However, almost every day I receive correspondence from senior respected technical people and organisations around the world and all say that if we move ahead with electronic voting we must have VVAT. Computer experts world-wide say this is essential.

Can that be supported?

Mr. Cochran

We mentioned the reasons already but I did not want to go back over old ground. The risks inherent in a system that——

Has evidence been produced and is it available?

Mr. Cochran

Yes, I do not have it all here with me but it is consistent.

Ms McGaley

Brazil has an electronic voting system but it is now retro-filling its machines with printers to add a voter-verified audit trail. In California it is law that by 2006 all voting systems must include a voter-verified audit trail. A well-supported Bill is going through the legislative system in the United States that will make this requirement federal law. If it goes through then all of the US states will be obliged to use a voter-verified audit trail. Although there are some systems in the United States that do not have a voter verified audit trail, their number is being reduced. A group called Verified Voting, started by a professor in the United States, has several hundred signatures of top professionals in the field who all agree that a voter-verified audit trail is the minimum requirement for an electronic voting system to be safe.

My concern is that a few lines of computer code might wreak as much havoc as a shredder installed at the back of a counting station but would remain invisible, as we cannot see inside the box whereas we can see the paper ballots being sorted.

Deputy Allen's question whether a PR contract was entered into was not answered. The response given was that no contract has been introduced since we made the request to the Minister. I would like to hear a reply to that. In a manual ballot many voters take the opportunity to spoil their vote. Has a voter got that opportunity with the electronic ballot? Some people spoil their votes deliberately. When it comes to a close vote and the scrutiny of votes, the majority of spoiled votes are because presiding officers fail to stamp the ballot paper. If some presiding officers are not fully capable of conducting their duties with a paper ballot, how will we ensure we have presiding officers fit to conduct their duties with the electronic system?

I have a few questions for the Secretary General. On the issue of a paper trail, he said there would be an issue of confusion as to which was the dominant record if we had both paper and electronic records. If legislation clarified this, would there still be a difficulty in providing a paper trail?

I was interested to hear the Secretary General talk about the study of spoiled votes. This is the first time I can recall this issue being analysed. I did not know there had been an analysis of spoiled votes. If the Department has done an analysis, it should be made available to us. It is possible, for example, that there may be a political conclusion or slant to the pattern of spoiled votes. The information and analysis on spoiled votes which has led the Secretary General and his officials to the conclusion that the number of spoiled votes justifies the introduction of electronic voting should be made available to us.

I understood from the Secretary General, that his difficulty in releasing the source code was that the Department does not currently own it. I presume the owners of the source code are represented here in this room. Will they make the source codes available?

Mr. Callan

With respect to what Ms McGaley said concerning the voter-verified audit trail, we do not believe that this is a predominant trend with regard to electronic voting. I stand by our thesis that most electronic voting systems have no truck with voter-verified audit trails on the basis that the most sensible way of validating an electronic system is through testing and quality proofing it so that the input signal produces the desired output. We can, as we move closer towards the elections - from next month on - simulate for the benefit of political parties or any other interested people if they so wish, exercises which will show that votes inputted and stored in the machine produce the same result as on paper. We will print the voting preferences in advance, keep the printed record, input the printed preferences and produce the machine print-out of what was inputted to show both input and output are the same. We are willing to develop and run such exercises if they are helpful to those who want to discuss the matter with us.

I will offer Mr. Groenendaal the opportunity to comment on the software as he is its developer.

Please deal with the issue public relations.

Mr. Callan

I will, of course. As with the matter of ballot boxes, letters of intention have issued on the public relations contract but it has not finally been executed in a legal sense. We accept that a contract will be entered into but it has not been signed off on yet.

Mr. Jan Groenendaal

The international situation was mentioned. The concept of using voting machines is not so new. One of the principal aims in introducing the concept was to get rid of paper. The introduction of voting machines in the Netherlands years ago completely got rid of the paper trail, yet the people's confidence in the system is extremely high. Since 1984, every parliament was partly chosen by the use of voting machines using our software in polling stations. Their use has increased and is now at 95%. In Germany, and when Germans change to something new they do things thoroughly, the system as used in Holland is recognised in legislation for nationwide elections - the European Parliament and the Bundestag. It is also recognised in seven of the 16 Bundeslander for all the regional and municipal elections. Approximately 100 communities there started to use this system in 1999, among them the town of Cologne with almost a million voters, which has had nine elections since. At the end of October France recognised in legislation the use of this system. I oppose the view that there is no trend to move away from a paper based system. There is broad acceptance of the existing electronic system, at least in western Europe. However, we must consider that there are about 200 million inhabitants. We have accumulated experience in Holland and have processed approximately 70 million votes in successive elections. We never lost a vote or had one petition against some irregularity or doubt. There are significant reports from independent institutes about the considerable confidence people in France, Germany and Holland have in the system.

Mr. Groenendaal spoke about not losing a vote. How are faults detected? What happens if 100 people vote for Deputy Gilmore, for example, and ten out of every 100 votes cast for him go to Deputy Andrews because of a fault in the system?

Mr. Groenendaal

It can be detected by the so-called black books test, whereby one is sure that the machine one starts with performs as it should. A greater concern would be if 1,000 people voted at a polling station and only 900 votes were registered in the electronic books. We never had any failure of this kind and we have a memorable record.

When this committee last sat it was stated that there is no such thing as a 100% accurate computer system. Is Mr. Groenendaal's system 100% accurate? If 50,000 votes are cast in a constituency, will 50,000 votes be recorded and counted accurately?

Mr. Groenendaal

Yes. It is very easy because our system works as a complete one-to-one substitute for the existing procedure. We have a ballot box and the only difference is that it is an electronic device. It stores every image of a vote. Once polling ends, we have ballot boxes with their contents, which can then be counted. If the count goes wrong, we return to our ballot boxes, just as one would do in a paper-based system. One can carry out the count again on another independent computer.

I have a further point to make on the audit trail. The committee should not be under the illusion that a paper trail of each vote in a polling station will raise credibility. It can still be tampered with. Furthermore, once a paper trail is introduced, with a printer next to every voting machine, the probability that the machine will work all day without any disturbances will decrease dramatically. It is the cash register syndrome.

Everybody who talks of a paper trail should go to the NCR and ask how people in a supermarket on a Saturday afternoon, for example, react to numbers first appearing on a screen and then on paper. One does not check one's receipt immediately after purchasing goods in a supermarket. If a voter does not check immediately, the whole concept of the audit trail goes down the drain. One does not gain by adding a paper trail, and the purpose of the voting machine is to get rid of it.

Mr. Henk Steentjes

I can add to Mr. Groenendaal's point. As he stated, the machine is designed to work without a paper audit trail. The plea for a paper audit trail is heard in several states in the United States, where investigations have been conducted by all kinds of computer experts on the touch-screen voting systems that are used widely in that country. Most of the touch-screen voting systems are PC-based and have very vulnerable operating systems. Everyone is familiar with the blue screens of Microsoft in this regard. This is not the case in respect of our machine. We worked to address concerns such as those of this committee for over 32 years. The first voting machine we built was built 30 years ago according to a mechanical design.

The important thing about a voting machine is that it must work when required and must be dedicated to its task. Therefore, we built a machine based on proprietary hardware and firmware, i.e. embedded software. The machine cannot be bought elsewhere as we designed it specifically for its purpose. We carried out extensive worst-case calculations on it and we built all kinds of protection layers into the software and hardware to ensure secure and safe recording and storage of votes. The system has been designed well and tested by a top-ranking test institute, the Physikalisch-Technische Bundesanstalt. The Home Office in Germany directs this body and it is the only institute allowed to test voting machines that are to be operated on a nationwide basis. The institute did a thorough test of the hardware, examined the design and carried out very thorough code and software inspections. These tests ensure the machine will store votes in the ballot box. We must be certain the machines being built are the same as the machines that have been tested. The machine the German institute tested is held in custody there and reference can always be made against that machine.

The embedded software, firmware, has checks that appear on screen when the machine is started. It checks that the correct software version is installed in the machine. The machine is not accessible from outside; new software cannot be installed and to do so, one must unscrew the cover and go deep into the electronics to change the circuits. This is difficult to do. Who will do this? The software is not available for purchase. By its design, the machine is difficult to tamper with.

Mr. McCarthy raised the question of electrostatic discharge. This was considered in the design. We conducted severe electromagnetic compatibility tests on the machine. For example, one thinks of the effects of electrostatic discharge in dry weather when one can get a shock when one touches a car door. This effect can disturb electronic equipment. Each voting machine we build is individually tested with 16 kv on several parts of the machine to ensure that it can withstand harsh environmental conditions, both in polling stations and in transportation to the stations.

By the nature of its design, the machine registers the vote and stores it in an electronic ballot box. Each individual vote is stored four times in individual memories so that if one fails, the others will still exist. Constant checks are carried out and each time a new vote is stored, all other votes are checked for validity. This is to help us check for errors. Mr. McCarthy referred to sequences that altered from zero to one. Something like this could not happen under our system as we do not totalise votes and then store them - each individual vote is stored and can be retrieved. The votes can be downloaded in any computer system that can read ballot modules. There will be a set of electronic votes similar to the physical ballot papers one would find in a ballot box. The votes are then processed and can be mixed in all kinds of ways in the count.

This is a system that can register votes in a secure and safe way. A top-ranking testing institute tests the system. When I headed for Ireland from Schiphol Airport, I boarded an aeroplane and placed my life in the hands of those operating the aircraft. I did not ask to see the source code used by the authorities or ask how it was tested. I trust Airbus, the manufacturer of the craft, and the FAA that certified the machine.

The problem is that aeroplanes sometimes crash.

Mr. Steentjes

Yes. This is part of the system. If we have 7,000 machines in operation, I can assure the committee that some will fail on election day. However, the votes stored will continue to be stored. The machine will be replaced and voting will continue and the ballot modules from both machines will be read. I invite the committee to fly with us.

Ms McGaley

The system is well developed and Mr. McCarthy also gives this impression. However, if one boards an aircraft and something goes wrong, one will know about it. We may never find out if something goes wrong with the electronic voting machine and this could result in the wrong person being elected to power. I need tangible evidence that my vote is recorded correctly.

Mr. Steentjes has made a few statements and I am afraid the Department is damned in the eyes of its own experts. Mr. Steentjes said that general computers sometimes get blue screens and stop. This is precisely the type of computer the Department proposes to use for the counting of votes.

I agree that the Nedap machine is superb. It is extremely well engineered and records votes four times in the ballot modules. What happens in the module? It is a passive device that serves as a ballot box and is brought to the count centre. It will be exposed to the elements for a number of hours before it is counted. Granted, the votes inside it are recorded four times, yet because of the number of machines we have, one of those devices will suffer a single event upset. Precautions have been put in place by recording the vote twice - it is recorded and inverted in the first chip and a recorded for a second time and again inverted in the second chip. Will Mr. Steentjes tell us what rules are applied in the counting system to judge which copy is real and which is damaged when the chips are read? How often have the "internal voting rules" in fail-safe systems been triggered? Perhaps it has never happened or it may have happened a number of times.

The ballot modules carry the preference of the voters to the counting centres. As Mr. Steentjes said, a machine will occasionally fail and a back-up machine will be used, a so-called spare ballot. There is direct evidence in material I have read that the Department has not put into procedures with Groenendaal the correct accounting for occasions when spare ballot modules are used in a polling station. These will be used occasionally and this will not be known when one returns to the count centre unless one carefully checks what the presiding officer signed for and returned. They are still testing the traceability, accuracy and tracking of this before the so-called release for mix and counting takes place. I draw Mr.Groenendaal's attention to an error which occurred during ERS testing last year but was fixed. During the test a vote appeared to have been lost after a transfer and after that point the number of votes was one fewer than at the start. The error occurred in mature software, version 84. Version 85 probably fixed the error, but this is an example of what is currently going wrong in the IES software written by Mr. Groenendaal. There are many others.

From the point of view of software development, my concern is that in the test records, which I reviewed yesterday, these incidents are not numbered - there is no bug numbering or tracking and no resolutions are reported by the developers to the owners in the Department. There is no evidence that formal procedures are in place for fixing these and there is evidence that the ERS company is not reporting bugs to the Department but directly to the developer, who sends back software to be tested further. That is a dangerous process in a system that needs to be statutorily controlled.

Mr. Steentjes mentioned that he tests his devices with 16 kV ESD. In fact, the energy of cosmic rays is 10 GeV, which is far higher, and cannot be protected against, only coped with. I know a little about this because I am a physicist. These are examples of the real problems with the system. The general design of the Nedap system is quite strong and it has coped as well as human design can cope with the occasional error. We are human, so the systems we invent are not perfect. There are even ambiguities in the statutory counting rules that are giving grief to the Department and the software developers, who do not know what to do about eliminating multiple lowest continuing candidates with zero votes, although that is not likely to arise in the context of Irish elections. The greatest difficulty for computer systems is dealing with the null case - the case in which there is a zero quantity of something. This is far more difficult to deal with in software than any positive or negative quantity, because the system must deal with an absence. It comes very close to the absence of a paper trail.

To take up Mr. Callan's comment about the difficulty of managing a paper trail, we have no difficulty in managing paper today. We must treat the paper trail docket in the same manner as today's ballot, with suitable legislative controls, either primary or secondary. The docket is given to the voter by the machine at the point at which the vote is cast. Perhaps a second button would be required. It must be folded and the back of it must be presented to the presiding officer, placed in the ballot box we have today and sealed.

When the software reads in the preferences from the ballot module, I know it records the voter number as randomised. Does it also record the ballot module number? If it does, Nathean's review has told us these two numbers are kept after mixing and thus at any time the contents of a ballot module may be checked on a random basis by using the paper in the ballot box. We must incorporate this before we can trust the system.

I thank Mr. McCarthy for his contribution. Under the system of paper verification a person goes to the voting machine and casts his vote electronically and then takes the paper verification ballot, looks at it and presents it to the returning officer in a ballot box. This provides an opportunity to scupper or undermine the integrity of the election because he could state that the vote he cast is not what is on the ballot paper. If several people did this in an orchestrated fashion the integrity of the election could be undermined. Could Mr. McCarthy tell us whether this has been considered?

The machine records both the electronic vote and the paper ballot. It is the machine that prints the piece of paper and records the electronic equivalent. I understand the opportunity of changing one's mind is always there. Whether, through legislation, we allow for this after the paper has been printed is a matter for the Deputies to decide.

Mr. McCarthy is missing the point. The person would not actually be changing his mind but saying the machine did not accurately turn out his vote.

The voter only has one thing in his hand at that time and he also has a piece of trust. The one thing in his hand is the paper record of his vote and it is what he input because if it is otherwise, he must not have cast it. We must invent a two-phase commit procedure - a common thing in software - whereby if one decides one wants to do something, one writes it into the system, then checks it is in the system, and then knows it is done. If a person decides to vote in a certain pattern he presses the buttons. There is no opportunity for people to press them backwards.

People who have given presentations to the committee have stated there is an inherent flaw in the system whereby a voting machine could move votes - one in 20, one in 40, one in 100 or one in 1,000. This was stated by Ms McGaley last week. It could create difficulties.

The proof of the pudding is that the paper ballots are available for the normal counts. We count the contents of the entire election or a selected ballot module against the records from the election or module, post facto. We should do this on a random basis to provide trust in the system. I do not follow the Deputy's contention that it would be an opportunity for mischief. I do not see how the mischief could be created because the individual voter's intent is recorded by the machine and printed on the paper and, as we know, it becomes anonymous. The machine does a fine job of making it anonymous in the ballot module. It is an anonymous but consistent record.

The Belgium system records the vote on a magnetic card. It is almost the same thing except it benefits from being reusable and it meets Mr. Groenendaal's desire to do away with paper. In Belgium they are lucky to have a ballot box physically attached to the computer containing the magnetic cards of all the voters of the previous day. During one test the cards were run through the machine again and counted, resulting in a discrepancy of 4,096, which did not occur in the voting machine but in the counting machine. We have two completely separate systems, meaning two sets of software and two separate tests. We must have trust in each system separately. I have far more trust in the Nedap machine than I have in the ordinary Microsoft PC, with software written by Bill Gates and his company, on which we will count our votes, with blue screens and everything.

Ms McGaley

The question asked by Deputy Kelleher was also asked last week. If a voter casts his vote in a Nedap machine and claims the machine will not allow him to make his vote, that is the same problem as occurs when the machine prints a ballot and the voter claims it is not the correct one. The problem is introduced by the electronic voting machine, not by the paper ballots.

Mr. Steentjes

As Mr. McCarthy said, the voting machine is trustworthy. That is very important because the votes are in the ballot box, allowing for counts and recounts any time. What is important is that the votes are available. One cannot ask people to come and vote again.

Mr. Callan

I am not a technical expert, but it is worth pointing out that in addition to the four-way storage of each vote, as mentioned by Mr. Steentjes, there is a backup module in each machine in case of untoward events, so there is double the security in the event of any breakdown or difficulty.

We would be willing to engage with Mr. McCarthy to deal with the detailed set of questions he has put to us. Some of his arguments were a little difficult because of his limited access to our background material, but we will be remedying that early in the new year with the publication on our website of a suite of reports relevant to the certification of the whole process. We will send those reports to all concerned. Mr. McCarthy is developing some rather invidious conclusions on the standards and professionalism of the work carried out so far, but we hope to satisfy him in our response to the 40 questions he posed. Some of his arguments seem to amount to saying that a computer has no place anywhere near the electoral process. I find that a difficult proposition in terms of the prevalence of computer use in modern life. It is not accepted by an increasing number of electoral authorities and governments around the world, or by the people of the Netherlands and Cologne who are benefiting from the system being extended to Ireland. We will engage more fully with Mr. McCarthy when we have had the opportunity to study the 40 questions in more detail.

I would like to hear Mr. Cochran respond to the assertion by Mr. Gronendaal that if 50,000 votes go into the system in a particular constituency, those 50,000 votes will be accurately recorded and counted. Mr. Cochran dealt with this issue at the last meeting and I would like to hear him respond. I asked earlier about the ownership of the source code, and whether it can be released.

I was elected by means of this system at the last general election. We heard then some of the same type of negativity that we are hearing from some quarters here today. In my constituency at the time of the general election it was suggested that the elderly, the young and those not interested in computers would not vote. The constituency turnout was nevertheless tremendous, as it was elsewhere. I have the height of praise for the system.

It gave a tremendous result.

There is no doubt that the result was tremendous. It came of course after a professional campaign. As I said before, the only problem involved the suddenness of the result on the night. It was suggested we should have had the results count by count.

I have the height of confidence in the system. The constituency turnout exceeded all our expectations. I must compliment the people from the Department of the Environment, Heritage and Local Government who organised demonstrations in the towns and villages. This was a great help to people prior to the system coming into operation on the day of the election. I cannot understand why people should be afraid of the system. We must move on with new technology. The system was very successful for all the parties.

What about John Farrelly?

He lost, but another Fine Gael member won. There was no loss or gain there. There was no computer error. I have the height of confidence in the system.

It strikes me as extraordinary that a system of this importance, which goes to the heart of our democracy, would be put into production without testing. I am speaking of the European elections. There is a dramatic difference in the volume of votes to be run through the system. It begins to stretch precisely those elements of the Access database technology with which the Department is sticking. Nathean's comments on the merits of the Access database did not rebut the point I made that Microsoft itself recommended against using it for critical systems that require recovery and integrity.

This will be a very large count. The Department is proposing not to test it because it is similar to a Dáil count, though not the same. The rules are the same, but from the computing point of view it is eight to ten times more onerous on the computer, and on the tables and their indices. We have not mentioned referential integrity and other matters pertinent to the insides of the Microsoft system. Nobody in those systems with which I am familiar in Dublin over the past ten years, systems on which we spent between €2 million and €12 million designing and implementing, ever used Access. We always use SQL Server or Oracle. Nobody uses Access. I can provide chapter and verse in due course. At the very heart of a large count of 450,000 or 500,000 votes, to use Microsoft Access is foolhardy.

I wish to endorse what Deputy Brady said. It is very important that all the committee members are given the opportunity to raise their queries and get the clarification necessary. That has been done not alone today but on previous occasions. The longer we continue to raise doubts and fears the more we raise and create them in the minds of the public. What we should do is roll out our PR wagon to every constituency in the country, educate the people, advise them and train those who will operate the system. There must be a certain level of trust in every system. After the last general election, during which the votes of three constituencies were counted electronically, there were no complaints. The only complaint involved the presentation of the results, a problem that has been rectified. Nobody raised any of the fears or doubts raised at this committee meeting today. There was no difficulty. Nobody questioned the results regarding those elected. That is the bottom line. People were elected through the system and I have no doubt that the paper trail would have shown the same result.

It is time we moved on, and allowed the Department and the Minister to carry out their business.

We shall decide later how to proceed.

I support what my colleagues, Deputies Brady and Cregan, said. I take the point made by the Secretary General about the spoiled votes. That is a matter we should be trying to rectify. We come back to the issue of trust. We must prove that the system can work. Mr. Steentjes made the point some time ago about boarding an aeroplane. By coincidence, I am thinking back to when Ms McGaley's uncle and I worked in air traffic control in the 1970s. At that time the system was based on primary radar in Dublin Airport. It was a paper trail. The primary radar depended on the signal coming back from the aircraft to the beacon on the airfield. That was backed up by a paper trail with the aircraft speed, direction, altitude and wind velocity. We moved from there to secondary surveillance radar, which involves no paper trail. There was a huge element of trust in doing that, far more important than in the voting procedure. This specifically made the point. The trust of the flying public was transferred to the specific person, namely the air traffic controller, dependent at that point on second surveillance radar once the switch was made. The paper trail was abolished. I suggest that system is now much safer. It comes down to the specifics of trusting the system. I will share similar trust in electronic voting.

Mr. Cochran

Deputy Gilmore asked if we could trust the accuracy of the votes cast. This touches on many of the issues raised this morning and at previous meetings. Deputies will recall the election of Deputy Dick Spring in North Kerry some years ago when after several recounts he was elected on a four-vote margin. If this system gives a result like that, would we trust it? Can we be sure that it is precise to within two, three or four votes, because we have had such outcomes in recent years? From what I have heard, I know of no way of verifying that we can be sure. The software being used in the counting has not been tested to the same level. Examples have been made of software running aircraft. This software has not been tested to the same level to which aerospace software is tested and verified. I have some experience of developing satellite and other avionic systems and know it is time-consuming, expensive and complex. I am not aware this has been done and it needs to be. Someone made the point that one has to trust the system when one boards an aeroplane to fly somewhere. If I knew the aeroplane used something like Microsoft Access I would not be happy to get into it. It probably would not matter, but if it was at that level of technology I would echo what Mr. McCarthy said as a computer professional. If I was developing systems this complex I would not use Microsoft Access. It is good and useful for small-scale home or non-critical systems, but it is not to be used for this type of project.

In answer to Deputy Gilmore's question, there is no way of knowing the accuracy. The only way is that made in a point by another speaker, in a somewhat different context, namely that in the Netherlands and Germany they are happy that it has worked consistently. However, I would stress this is in a slightly different context because the voting rules are not identical. The system is not identical and therefore that experience is not a precise test for what is happening in Ireland.

I too share some of the sentiments voiced by Deputies Cregan and Moloney with regard to trust and confidence in the system and the need to encourage people to take part in the system and become more aware of what electronic voting seeks to achieve with regard to efficiency and safety. Something has been missed here and I just wish to raise the issue. The voting machine is expected to be accurate to 100% all the time. Our present electoral system is not as accurate as we would like to think. The voting and transference of surpluses is based on a bundle as opposed to full recounting. I was involved in a recount myself and most recounts are not that at all, they are rechecks. A full recount would require all the ballot papers to be redistributed throughout the various pigeonholes and various transfers to be made. If that were done perhaps there would be a very different result. That is a fact of life. The computer system is much more accurate than that. The present electoral law does not allow for a full recount. It allows for a recheck. It is well known that given the vagaries of transfers and surplus distributions there could be a different result next time around. That is why the electoral law does not allow a full recount. We are asking the people to put their trust in a computer system that is more accurate while the law is actually allowing for the inaccuracies in the current paper system.

I am sorry I missed the early part. I was involved in voting, electronically too. I would be much happier with this machine if it could guarantee the abolition of personation for all time. Someone was telling me about it over on these benches. I wonder if computer people fully appreciate the shenanigans that go on and the lengths to which candidates will go to try to get elected to the Oireachtas. In my own constituency, Louth, just fewer than 700 votes were spoiled, a significant percentage of which was because the presiding officer had not stamped them. That had a major potential to change the result. It did not on the day because the numbers were greater than the 700. However, in a tight situation it could have made a difference. We have heard about former Tánaiste, Deputy Dick Spring. The Minister for Communications, Marine and Natural Resources, Deputy Dermot Ahern, won an election in Louth by six votes. I lost an election a few years ago by 11 votes. When it comes down that level this is important. I have a question about the machine. Mr. Steenjes told us that it is sealed, but is there not a port on it for a cable, for relaying the message to the main counting device?

Mr. Steenjes

There is not.

There is no facility. Does it have to be physically opened to that?

Mr. Steenjes

Yes. It can be compared to a calculator. What can be tampered with on a calculator? How can it make one plus one equal three?

A final question: assuming there cannot be a printout of this, perhaps it is because a big ballot paper is anticipated of the type we are accustomed to. Why is there a difficulty in creating a much smaller paper system, similar for example to a cash register receipt? What is the difficulty in creating that, at least on a trial basis over several elections, to convince people that this is real?

Mr. Groenendaal

I have a videotape of an election in Belgium where a system was tried out with a paper trail within a small printer like a cash register. It was behind the screen so one did not get an original of each sheet but one could read and confirm what one had written. It was then cut off and fell down into an enclosed ballot box. It took a week before the first announcement in the national news that the try-out had failed because there was a difference between the electronic storage system and the papers.

Was it much?

Mr. Groenendaal

It was announced, but it was in the news every week that research was ongoing. It took a week, only in one small precinct, to establish the manual count to make a comparison, because it was a combined election. It was on small pieces of paper and it came out every time according to the norms practised in paper systems with a different result. Statisticians will confirm that if there are ten recounts and one of them differs and an eleventh shows a different result again, there is no proof at all. It is nonsense to consider such a situation. In the video there was a video jam. At a certain moment the paper did not transport well and everything was scrambled up. If this is what is in store for the future, I think I will learn another trade.

Deputy Morgan mentioned that the primary source of spoiled ballots was the lack of punching with the official stamp by the presiding officer. In any new electronic system, that is entirely eliminated. The vast bulk of lost votes, therefore, will not arise for that reason. It would be interesting, as Deputy Gilmore requested, to see the statistics from the Department of the Environment, Heritage and Local Government on the analysis of such spoiled votes. Those votes will be entirely retrieved by an electronic system. I support electronic systems in general provided they are implemented properly and safely.

One aspect of this system bothers me greatly. This folder contains the only 14 pages of documentation from Powervote - I believe Groenendaal is behind Powervote - which are technical matters relating to how the counting software works. There is a big document for the returning officers, on how to run the screens and so on. This is the only technical documentation describing the software development of the counting along with the equally large and complex software development of the election management system for registering the polling stations and candidates, printing the ballot papers, preparing the ballot modules etc. They are two enormous pieces of software and, as far as I can formally ascertain, the Department has no documentation on these matters whatsoever as I have not had any response to five requests under the Freedom of Information Act and two internal reviews. It begs the question as to how the Groenendaal Company developed this software. My first query: how many people in the Groenendaal company work on this software and how many people in the Powervote and Nathean companies have seen it? Has anybody in the Department seen it? If my understanding from reading the files is correct, there are six people in the world who know how the Irish counting system will work. To my knowledge, none is endorsed with accreditation or certifying agencies. What software accreditation is being brought to bear on this system by the Department and its experts?

Ms McGaley

In response to Deputy Kelleher, on the difference between recounting and rechecking, there is a difference, but according to the law that is not an inaccuracy in the system. Currently the electronic counting works exactly the same way and one cannot recount, only recheck. It will be possible to implement recounts in the future but it has not been implemented yet. Errors in the all-paper system affect one constituency once, whereas an error in the electronic system might affect the whole country every time the system is used. The big difference between the electronic and paper systems is that an error that changed the workings of the voting or counting machines would affect every count every time the system was being used. In response to Deputy Moloney's query, the fundamental difference between an air traffic control system and an electronic voting system is that in general no one is interested in subverting the air traffic control system and we do not have to fear that someone will try to tamper with it in such a way that it will not work properly.

Who are you suggesting would want to change the voting system?

Ms McGaley

We have to assume that people would want to change it. We live in a real democracy where people's votes are counted but who is to know what will happen 20 years down the line? The power of democracy is that if the wrong people are elected we can get them out again.

Is Ms McGaley suggesting that this cannot be done with electronic voting?

Ms McGaley

I am suggesting the possibility exists that someone would want to subvert our electronic voting system.

Could someone subvert the present voting system?

Ms McGaley

It would be much more difficult.

Would it not be possible for someone in a van or car to pick up ten or 20 ballot boxes?

Ms McGaley

If 20 ballot boxes went missing, that would be noticed.

We will have an overall majority by then, so there will be no need.

It has been mentioned widely that the introduction of electronic voting with the purchase of 7,000 machines will cost €60 million. It has been widely speculated that storage of the machines will cost up to €4 million each year and, taking an average ten year lifespan for each machine, it will cost €100 million. What is the machine lifespan and how will the replacement be organised? During the ten-year period there may be two general elections, two local elections, and EU elections, and I wonder would £10 million per annum for electronic machines be considered good value for money? What are the estimated costs for the provision of staff for elections? Will more staff be employed on election and count days?

This is a question for Mr. Groenendaal. If someone was determined to corrupt the software for the counting, how would you prevent that happening? Has Mr. Groenendaal considered the possibility that somebody employed in his company could lie low for a couple of years and then do what he intended to do?

Mr. Groenendaal

I see as a positive one of the minor negative points Mr. McCarthy mentioned - that only a small group of people is involved in the development phase of the software, and the possibility of widespread running around with it does not exist. The software is under constant development, as it is not made once, frozen and used for the next 20 years. For every election, we deliver a so-called production version that is used in the following election, and we do so at the latest possible time before the election. That version has the last mark of the testers and is in the custody of the Home Office in Holland. In Germany it is in the custody of the Oberburgermeister of Cologne, for the moment, but that will alter. A similar procedure will be in use here.

Is Mr. Groenendaal saying that at each election, his company at the last minute redesigns——

Mr. Groenendaal

Not at the last minute; on the latest possible date counting back from the election day.

How do we know that Mr. Groenendaal's company has not made a mistake?

Mr. Groenendaal

We deliver it to the customer and he gives the order as to the last phase, there is an iterative process of development and there is a moment when we say that we hold the status of the system at this moment and we go into the next election with this version. It makes it rather difficult for bad-minded people to tamper with the software.

If I wanted to get a particular result in an Irish election - as we saw in "The Gangs of New York", the people who decide the election are the people who count the votes - and I decided to find the way the votes are counted, as I need to doctor the software somehow, I would plant a good computer expert in Mr. Groenendaal's company to work on it. How would Mr. Groenendaal stop that?

Mr. Groenendaal

I am very careful in choosing the personnel in my company. It is rather simple. If something like that happened, it would happen only once. I have a reputation beyond Ireland in the election software field since 1982 and my capital is my reputation. If someone intends to interfere with the software I am the first one to deal with it.

It would not be impossible to do it.

Mr. Groenendaal

No, but again there is the testing procedure of the software.

Mr. Callan

The final version of the software for a particular election, which Mr. Groenendaal will develop, will represent the culmination of all the efforts we have made - I referred earlier to continuous improvement - in the previous year in dealing with the company. It is not something they will produce from cold, so to speak; rather, it will be the accumulation of all efforts to improve the software up to that point. The software will then be delivered to us. There will be space within the schedules we have established with the company, for the Department to procure independent verification and testing of that software. We will do that before we commit the machines and other software to the actual business of the elections.

We are talking about software that is dealing with the count. How does one test the count software when one is not conducting a count? Presumably, this will be a month or two before an election.

Mr. Callan

Mr. Pugh is involved in reviewing the architecture and in the overview. Of course, we are not conducting a count; we are verifying the architecture and accuracy of the whole system that is employed.

Mr. Pugh

On the question of tampering, I have knowledge of the database and the source code, which are two obvious areas in which this sort of corruption could occur. The review status would identify those. If there were tampering with the source code to distribute votes in a certain way or to alter the result, it would be quite obvious because it would be in the source code.

We do not have the code.

Mr. Pugh

We do.

Mr. Pugh

Sorry, I will qualify that - I do have.

Mr. Callan

I am sorry to cut across Mr. Pugh but I would like to explain because the Deputy has already mentioned the source code. The Department has full access to the source code and its agents - in this case, Nathean Technologies - have access to it. The Department is legally responsible for the proper conduct of elections. We have to take this responsibility ourselves and to discharge it conscientiously. We are doing that through the use of competent agents who will second-guess and test things.

It is another matter, and one for legitimate policy debate, whether or not it is desirable to put the source code into more general circulation so that other people can conduct their own tests on it. It is fair to say that there are arguments for and against that sort of concept. I do not have a strong position but in terms of the integrity of the whole process it is important and there would be arguments for and against. There might also be an argument that constructive and well-meaning technical experts outside our sphere could add value to the source code if they picked up some minor things. They are part of the argument in favour of letting out the source code. However, there are significant security considerations against letting out the source code at all, which one would have to consider.

The Department has full access to the source code, and so do its agents, which allows us to conduct tests under our responsibility to the Oireachtas to guarantee assurance for the system.

Ms McGaley

If the software is continually changing, and so the software used in election B is different from that used in election A, was the software used in election A faulty? If not, why is it being changed?

According to Mr. McCarthy's research, the code review involved reviewing 500 pages of code a day. I know that in reading code it is very difficult to find bugs. As I said the last time I was here, even NASA which has incredibly careful code development systems, expects to have bugs. If 500 pages of code per day are being reviewed, the chances of finding something that is carefully hidden are very low. It is possible to hide carefully what we call Trojan horses and such things. Therefore, if something is hidden carefully, it is possible that it would not be found by a code review.

Mr. Cochran

I want to comment on the issue of the risk, or otherwise, in releasing the source code for wide review. I do not think this is an issue because one would not be releasing the live code - the code that is used in a production sense. One would be giving copies of it for outside experts to examine and make recommendations for changes, which would come back into the system in a controlled way, so there are absolutely no security concerns in doing that. I accept that there are arguments one way or the other but in my view the arguments are much stronger in favour of releasing the code, as was done in the Australian example, which has been well documented. In that case, it was made available and even though experts had produced it, external experts found some errors that had been missed by the internal experts and they improved it. That could well be the case here. There are good arguments for taking that route and, properly managed, there is no security concern.

The size of this system is enormous. We were advised in a report from Nathean Technologies that the source code is some 200,000 lines of code. Dividing that figure by 50, the number of lines per page, two thirds of the source code would occupy a large box, which is a huge volume of written information. There is a salient difference between Nathean Technologies doing a code check and ERS doing a test. ERS actually tests the software using a black box technique whereby they inject votes, run them through the system and watch the results. They are moving all the time, trying to get it dead right. It is still the case that it is not quite dead right. That test process does not include the European volume of votes we were talking about, whereas the presumably excellent code reviews that are done by Nathean Technologies, are desk-checked to see what the software looks like.

This begs the questions that Deputy Gilmore asked of Mr. Groenendaal: how is the software controlled? What is the version control of the software? Are there release notes with each version? Is there a certificate that comes with one of them that states, "This is the software to be used for the June 2004 election"? Having searched through the material I have, I found a single sentence in an appendix from ERS that states, "IES software certified". If I am right, it seems that is the certificate. It is a very poor certificate, however, and does not provide much confidence for those of us who are reviewing it that good and proper things were done to come to the point where accreditation could be given.

It begs a different question: if it is changing every year, must we, perforce, have annual accreditation, testing and certification? If that is going on, year after year, it strikes me as being a primary example of something that should be given to an electoral commission, to be conducted independently of the Executive and the hardware and software providers.

Mr. Callan

The Department is caught in the middle of some of the arguments that are flying around. On the one hand, people are asking why we keep picking over the software and why are we trying to find minor improvements to it. On the other hand, Mr. McCarthy chided us for not being up to the mark in terms of continuous improvement. The position I stated in my opening comments is unequivocal: we are committed now and beyond June 2004 to a process of continuous improvement. We think the electoral system deserves no less. In terms of software technology, it would be lax and complacent of us not to continue at some level a programme of testing, validation and verification of the systems to be employed at elections. That is our commitment and we do not regard it as a sign of weakness.

As you will be aware, another vote is being called in the Dáil. Are members happy to leave the questions at that?

That is a good point at which to wrap it up, Chairman. I wish to thank the Secretary General and others for attending the committee.

It is appropriate for us to wrap up the meeting at this stage. As regards the 40 or 41 questions presented by Mr. McCarthy, is there a commitment that they will be answered within a reasonable delay?

Mr. Callan

Absolutely.

It would be appropriate to resume on that matter, Chairman.

We will decide on that. I wish to thank all the witnesses for attending today's meeting and for dealing so comprehensively with all the questions raised by the members. I hope the four people sitting in the public gallery feel there was no reason for putting them there other than the presence of six officials and it was more appropriate to seat them around the table. I thank the witnesses.

Mr. Steenjtes

Mr. McCarthy referred to 200,000 lines of coded effects. This comes from an international software package and it is also used in Germany. The number of lines for Ireland is 70. The amount of code is much less than used elsewhere.

I thank the witnesses. The committee shall suspend until immediately after the vote.

Sitting suspended at 1.50 p.m. and resumed in at 2.05 p.m.

The joint committee is resuming in public session.

There are key questions still to be answered regarding the security and integrity of the electronic voting system. One of the expert witnesses posed 41 important questions to the Department, which has requested time to respond in writing. Therefore, we cannot reach a conclusion regarding the integrity and security of the system. We cannot make a judgment until all questions are answered. As the Department has indicated, it will respond in writing to the questions, we have no choice but to await its response before making a decision based on all the available information.

Does the Deputy propose that we await replies from the Department to the questions raised by Mr. McCarthy?

Yes, and that we consider all the information available and then make a decision on an informed basis.

I propose a different course of action. From what I have heard over several meetings, I am satisfied with the integrity and security of the system. As I said earlier, it was tried and tested in three different constituencies at the last general election and nobody had any complaint apart from the presentation of the count results, a problem that has been rectified by the Minister and his officials. It is now December and it will probably be February before the Department responds to those questions, a mere three or four months before elections in June. To be fair, all the major parties have agreed in principle that electronic voting should happen. This was agreed months ago. I accept Mr. McCarthy still has concerns and I have no problem with those concerns being addressed and examined by the Department. If, as a result of the Department's responses, the committee feels major difficulties will arise with electronic voting, we will consider the matter again. I propose now that we fully endorse the implementation of the electronic voting system and that we encourage the Minister and his officials to roll out their programme as early as possible.

If Deputy Cregan persists with that proposal, he will divide the committee and it will become a partisan issue. The result for the Minister will be that he will have to proceed with a new electoral system in the face of opposition. That is not in anybody's interest. I would like the committee to get to the stage of saying that we have examined the system and are satisfied with it. We are not at that stage yet.

The evidence presented today suggests that this country is about to hand over ownership of control of critical parts of the electoral process to private companies. I have repeatedly asked for information on the source code. The basic information under which the system operates is owned by a number of companies, a half a dozen people who effectively control the type of electoral process we will have. I am not satisfied yet.

There is no mad rush to have this system in place for the local and European elections. The Minister set that target but it is not the end of the world if they proceed on the same basis as elections have proceeded down the ages. The system is geared for that. Judging from what we were told about the state of preparedness, it is debatable whether the system is ready to go in June. It might be in our interest that the June elections be held under the old system and that we have more time to examine the electronic system.

The companies promoting electronic voting have drawn attention to its operation in other countries and assert it is working well. I would like the committee to get some political opinion from those other countries. We are nowhere near the all-clear point suggested by Deputy Cregan. I am not prepared to give it the all clear. I agree with Deputy Allen that we should await the responses from the Department. The prudent choice to make is to let the June elections go ahead under the old system and to give more time to satisfying ourselves and the public that the new system is safe and secure.

There is another vote in the Chamber. We will suspend for it.

Before we suspend I would like to make a comment. Both members of and witnesses before this committee have expressed concerns. The Department of the Environment and Local Government is charged with the responsibility of overseeing local and general elections and it would be remiss of us not to endorse the committee's trust in the people involved in overseeing these elections. The longer we delay the more we undermine their ability to implement an electronic voting system which most members of this committee believe should be done. The problem is that some people do not have full confidence in the system, both Department officials and committee members. The matter does not just concern the local and European elections. The local election affords us an opportunity to test the apparatus well and to discover any difficulty or problem prior to a general election.

It is six minutes since the vote was called. We will suspend and come back to the issue after the vote.

Sitting suspended at 2.20 p.m. and resumed at 2.25 p.m.

I understand the concerns that some have expressed. Having listened to the views of the witnesses and the Department officials, I believe we should try to support the introduction of electronic voting. Reference was made to the fact that it does not matter if we do not introduce it in time for the local and European elections. However, it should be put in place as soon as possible to expose voters to it and ensure they have full confidence in it before the next general election.

The Department said it would answer in detail the questions posed by Mr. McCarthy. If he has any concerns about the answers, we can invite him to attend the committee again. In the meantime, we should try to express confidence in the Department officials charged with the responsibility of overseeing elections. Nobody is questioning their integrity but one could question their competence if, at the end of our deliberations, we were still delaying in spite of their advice to the contrary and their view that the system will work well.

Deputy Johnny Brady, and others who were elected to Dáil Éireann by the electronic voting system, have expressed confidence in it. Voters in the three constituencies concerned registered no complaints. The only issue at stake was the way in which the results were announced, but the Department has stated it will address this. We could debate this issue and listen to contributions by witnesses forever but we have to make a calculated decision on it. I suggest that we accept Deputy Cregan's proposal.

Deputy Gilmore stated it would not be the end of the world if electronic voting were not introduced. We would be a laughing stock if we were to ask the voters in the three constituencies where it was introduced to return to the manual system. It would have devastating consequences for the integrity of the system. June should be the deadline and it should be implemented at the local and European elections. This will be a big test of the system and we should work towards this.

This issue was raised many months ago arising from reservations raised by a group of consultants regarding the 2002 general election. The Minister proceeded with the introduction of the system for the local and European elections without consulting all the parties that will be involved in the elections, nor did he consult the public. It would make a mockery of the hearings we have held if we were not prepared to wait for answers to some of the issues raised by the experts.

The implications will be serious if this is pushed through. We will have a unilateral introduction by the Government parties of a system for voting in elections without full consultation taking place with interested groups. We have a job to do and should complete it. As Deputy Gilmore said, we should talk to people from other jurisdictions that use electronic systems and then issue our findings as quickly as possible.

It would make a mockery of our democracy if the Government parties pushed this through today. The source code is in the hands of six people that we know nothing about and who do not even live in this State. They are salesmen that are selling a product to us.

We have dealt with the issue of the source code.

It has not been dealt with to my satisfaction. While the verifiable paper trail is a cornerstone of our system, it is not being retained. I have serious reservations about this and I appeal to my colleagues not to divide this committee. We have carried out excellent work and should let it run for a few weeks so that we can all be happy and satisfied that the system is secure.

We do not have certain information. We do not have replies to the questions Mr. McCarthy raised. I asked the Secretary General for the analysis of the spoiled votes and I think we should have this. While the spoiled vote argument is a strong one, I do not recall it being made when the legislation was introduced. If the Department has carried out an analysis of spoiled votes, we should see it.

My understanding of what the Secretary General said is that the system is still in the process of being improved. The Department does not yet have the final version of what is going to be used in June. If Ireland moves to electronic voting in every polling station there will be no way to come back from it.

I take the point made my Deputy Cregan on the three constituencies where this has been used. I do not think those constituencies can return to paper-based voting. We could have a discussion with the Department or the Minister about an extension of the trial period. For example, the trial could be used to carry out end-to-end testing. A test needs to be carried out working marked ballot papers through the system and maybe the local elections is the ideal way of doing this. The marked ballot papers from a local electoral area could be inputted into the system. While I know it will not give the same result, it would give confidence in the system. This complete test has not been carried out. The local and European elections give the opportunity to further test the system. It would give everyone a longer lead-in to work though some of the difficulties.

It is now the end of December and the elections will be held in June. This will be a large logistical operation. If the Department has not yet finalised the system, I have my doubts whether it is capable of putting it in place by June. We might be doing everybody a big favour is we recommended an extension of the trial period rather than the complete shift over to it.

I support my party colleagues and the Minister in agreeing in principle to the introduction of electronic voting. While many questions have been raised, commitments have been made to purchase these machines. I am sure any obstacles can be dealt with.

There are two proposals before the committee. The first proposal seeks to postpone the decision until we get further information and replies to the questions raised. Deputy Cregan has proposed an amendment to this.

I propose that we endorse the efforts made to date by both the Minister and his Department. I know they are most anxious to have electronic voting in place across the State from June next. We are doing a disservice to both the public and the Departments officials by stalling this matter. I propose that we inform the Minister that we fully endorse the immediate implementation of awareness for the public and that we work towards having all polling stations operating electronically in June.

If this proposal is persisted with, it is going to turn this into a party political issue. Nobody wants to see confidence in the electoral process being further eroded. Genuine concerns have been raised and it is our duty to reflect them. If the Government parties insist on putting a proposal to the committee asking it to fully endorse a system that some of us are unhappy with, we will not support it. Subsequent to this, the introduction of electronic voting in this country will become a party political issue. It will be the introduction of electronic voting by Government parties in the face of opposition from the two largest Opposition parties. While I do not know the experiences of other countries, the majority does not persist with major changes to the way in which elections are conducted in any democracy when the main opposition forces express significant concerns. That is a dangerous road to go down. If it is persisted with, the issue will be contested on a party political basis. That will not be any good for the issue itself or for people's confidence in the system or in those who are proposing it.

Nobody wants to divide the committee, but I look forward to campaigning against the Opposition parties at local elections on whether electronic voting should be implemented. It is disappointing that party political points have been made on this issue, although not necessarily by Deputy Gilmore. Officials in the Department of the Environment, Heritage and Local Government are charged with the responsibility of running elections - that is a fact of life. They are trying to bring in a system that will make elections more efficient, easier to hold and easier to count and, in the event of a recount or any challenge, smooth matters considerably.

The officials will answer the concerns raised by Deputies of the Opposition parties, but this will delay the implementation of a system that will benefit everybody. It will not be introduced before the next elections and then there will be a problem if there is a general election. The confidence of individuals or the Opposition may not be there so the general election will be delayed again. Commitments have been made and the people that have voted electronically have embraced the system. We would be doing a disservice to them, to the members of the committee and to the officials of the Department who have expressed confidence in the system.

To be fair to the Minister, when the legislation was introduced in 2001 that enabled us to hold elections with electronic voting, there was general support for this. The system appeared to be a success in the three pilot constituencies. No great concern was expressed at the time except about the manner in which the results were announced. People talk about lack of consultation, but the best manner of consultation was the pilot scheme. To accuse the Minister of not consulting is not entirely accurate. We cannot stay here all afternoon and there is no reason for us to repeat over and over what we have done.

Nobody is against the introduction of electronic voting in principle. I am concerned about the technology being used, the security of the system and the ability to verify the system. Those are my concerns, which have been expressed again today. Having invited people in who went to the trouble of presenting detailed submissions, we are now pressing ahead on a political basis without ensuring their concerns are responded to. It is a serious matter if this is pushed through today on a political basis because it will become an issue.

Delay will become an issue.

It will not be about who is in favour and who is not in favour of electronic voting, but the security of the system.

It was proved to be viable at the last election in three different constituencies. The security and integrity of the system was not in question.

I remind Deputy Cregan of the Zerflow report and the concerns expressed about the proposed system.

We have the proposal from Deputy Allen and an amendment from Deputy Cregan.

It would pity to divide the committee on this issue. Deputy Cregan should withdraw his proposal so we can discuss a way of extending the trial.

It would be a useful exercise to work through the concerns that have been expressed by members of the committee and by people appearing before it. It would not mean an about-face for anybody.

As has been pointed out, the Minister has already entered into contracts for the machines and in the public relations side of things.

That does not reverse it at all.

It could cause certain difficulties.

The committee has heard evidence from people who know about computers that they are concerned about this system and they do not regard it as safe.

Some people have said that. There are as many more who do not have the same concerns. It is a matter of opinion.

We have heard their opinions and concerns.

We have heard their opinions, as has the Department.

We have heard about the three constituencies in which the system was tested during the general election. The problem is that we do not know the results of the test because there is no paper record. We are all operating on the basis of trust. We do not know whether there were glitches or errors or bugs in the voting machines because there is no record.

To be fair, Mr. McCarthy did not have only 40 questions - there were perhaps 100 more questions contained within his questions. He expressed his main concerns about it and raised a number of issues that were dealt with by the other representatives, perhaps in a rather comprehensive fashion. It is not as though he has concerns that have not been addressed. He might not be happy with the responses he received, but the Secretary General and the experts who accompanied him dealt with a number of his concerns.

Question put: "That the joint committee endorse the efforts on electronic voting made to date by both the Minister and his Department."

As there are fewer than 12 members present, under Standing Orders we are obliged to wait eight minutes until the full membership is present before proceeding to take the division. As there is a vote in the Dáil we will suspend until it is finished.

Sitting suspended at 2.47 p.m. and resumed at 2.56 p.m.

We will proceed with the division.

The Committee divided: Tá, 9; Níl, 4.

  • Deputy John Cregan.
  • Deputy Noel Grealish.
  • Deputy Michael Moynihan.
  • Deputy Mildred Fox.
  • Deputy Billy Kelleher.
  • Deputy John Moloney.
  • Deputy Seán Power.
  • Senator Michael Brennan.
  • Senator John Dardis.

Níl

  • Deputy Bernard Allen.
  • Deputy Éamon Gilmore.
  • Deputy Pádraic McCormack.
  • Senator John Paul Phelan.
Question declared carried.

The proposal is agreed and the text will be conveyed to the Minister.

I remind members that the select committee will consider Committee Stage of the Residential Tenancies Bill 2003 on Wednesday, 21 January 2004. This is a substantial Bill and I suggest we consider it again on Thursday, 22 January 2004.

Today the joint committee was due to meet officials from the Department of the Environment, Heritage and Local Government to get an update on two EU documents, COM (2003)18 and COM (2003)32, dealing with the safety of nuclear installations and the management of spent nuclear fuel and radioactive waste. The joint committee will now meet these officials on Wednesday, 7 January 2004.

I wish all members of the committee and their families a peaceful and happy Christmas and new year and look forward to seeing them in January. I thank the officials for their help during the year.

The joint committee adjourned at 3.25 p.m. until 11.30 a.m. on Wednesday, 7 January 2004.
Top
Share