JOINT COMMITTEE ON ENVIRONMENT AND LOCAL GOVERNMENT díospóireacht -
Wednesday, 10 Dec 2003

On behalf of the joint committee I welcome Ms Margaret McGaley to today's meeting. We will hear from Ms McGaley first and then take questions from members. I draw Ms McGaley's attention to the fact that members of this committee have absolute privilege but the same privilege does not apply to witnesses appearing before the committee. Members are reminded of the long-standing parliamentary practice to the effect that witnesses should not comment on, criticise or make charges against a person outside the House or an official by name or in such a way as to make him or her identifiable.

I thank the committee for inviting me to give a presentation. I hope I can address some of the issues members may have with regard to electronic voting. I am currently working on a PhD in the area of electronic voting at NUI Maynooth, which is where I obtained my BSc in computer science. My final year project was about electronic voting and my conclusions led me to set up the organisation Irish Citizens for Trustworthy E-Voting, ICTE. E-voting refers to any voting system with electronic parts.

ICTE was set up to convince the Government that e-voting in its proposed form poses a genuine threat to our democracy. Many of our members are computer professionals. We are not Luddites, afraid of technology, but concerned citizens who recognise the very real dangers associated with electronic voting. We are not saying that e-voting is unworkable, but we are calling for some minimum safety precautions.

There are several issues I do not have time to cover in my presentation, but I will be happy to answer questions on such issues as the use of formal methods and opening the source code to public scrutiny. These are important issues, but they are secondary to what I will talk about today.

I will explain the dangers we see in the proposed system and the solution we propose. Nedap-Powervote claims that its software is 100% accurate. If the software had been developed to the highest standard possible, for example to the standard generally attained by NASA in its software projects, it would still be expected to contain a minimum of 60 faults. NASA, whose employees' lives depend on the reliability of its software, is among the world's most accurate software developers. If NASA, which employs rocket scientists, could expect 60 faults to be contained in a software project the size of the Nedap-Powervote system, then how many more faults could we expect to find in a system developed by a company nowhere near the NASA calibre? My own experience has taught me that no reliable software developer would dream of claiming 100% accuracy.

The main problem is that if the proposed system was not behaving as it should, either by accident or because of malicious tampering, effects on vote outcomes might never be detected. This is because results cannot be independently verified. As a voter, what proof have I that the vote displayed on the voting machine is the one stored inside it, or that it is counted correctly? I have to trust that the hardware and software are storing and counting my vote correctly. That means that instead of trusting gardaí and election officials as we do in the all-paper system, we must trust software engineers. Furthermore, any successful tampering with the all-paper system affects one constituency on a single occasion, whereas a successful attack on the electronic system could affect every constituency every time the system is used.

The simple solution is to provide tangible evidence to each voter that his or her vote is recorded correctly. I propose that any e-voting system used in Ireland must provide a voter verified audit trail in which every voter sees his or her vote on a piece of paper go into a ballot box. These paper ballots would be the official record of votes cast and would act as a safeguard. Errors in the electronic system would then be detectable, because results could be independently verified. Recounts would be done using the paper ballots. A system of spot-checks would also be introduced whereby constituencies would be chosen at random and the paper ballots counted to confirm the electronic results. The handout I have provided contains a clear explanation of voter verified audit trails.

I will dispel three myths about voter verified audit trails. The first is that they endanger the secrecy of the ballot. This is not true. There would be no connection between vote and voter, just as there is no connection between vote and voter in the all-paper system. The second myth is that recounts based on the paper ballots would give different results from the electronic count. This is also untrue. Just as recounts in the all-paper system make the same transfers as were made in the original count, recounts based on the paper ballots would make the same transfers as were made in the electronic count.

The third myth is that the proposed system provides an adequate audit trail. The so-called audit trail provided by the Nedap-Powervote system serves no useful purpose and does not mitigate the need for a voter verified audit trail. It is a print-out of the votes recorded, but provides no assurance that the votes recorded are the votes cast.

The Nedap-Powervote system is currently not safe. If we must have electronic voting in this country, then we must either replace Nedap-Powervote with a cheaper system using scanners, or alter the Nedap-Powervote system to include a voter verified audit trail. The first of these options, a new system based on scanning, would look very similar to the all-paper system from the voter's point of view. At the count centre, votes would be scanned and counted electronically. The second option, altering the Nedap-Powervote system, would involve the addition of a printer to each voting machine. When the vote is cast, the ballot paper would be printed. The voter confirms that the printed ballot is correct, and it is deposited into a normal ballot box. With the addition of printed ballots, at least the potential exists to find any faults in the electronic system.

The Minister has repeatedly stated that he is satisfied the Nedap-Powervote system can be trusted. When it comes to the electoral process, it is not enough that the Minister or the Government or even the Opposition be satisfied. Above all, the electorate must trust the electoral process. As it stands, the proposed system is not worthy of its trust.

Ms McGaley did not refer in her paper to the source code. The last time this committee considered the issue of electronic voting, we questioned the Minister and his officials on the source code. We did not get satisfactory answers. Has Ms McGaley looked at the source code area and has she come to any conclusions?

Yes. All source codes should be open to public review and scrutiny. We will have to rely on the electronic results in some cases because the paper ballots will not be counted every time. Accordingly we have to make sure that the electronic system is as reliable as possible.

One of the methods by which that can be done is by releasing source codes to public audit, so that anyone who is interested can look at the source code to see if there are errors there. All the software used in the system should be open to public scrutiny. That does not pose any problems regarding the security of the system.

One of the examples used to describe why source codes should be made publicly available is that of a lock on a door. We all know how such locks work. We understand the basic principle. We trust that the lock is safe enough to keep the door closed. Releasing the source code does not pose any problems for the security of the system but it provides advantages in terms of people being able to trust the system.

The guarantee is that it is possible to look at the paper record. The voter can be assured that the vote is properly recorded on the paper. We know that we can check the results, so it is much more likely that the system records the vote correctly electronically. We would choose random constituencies every time there is a vote, and check the paper ballots to confirm that the electronic results are the same. If they are not, then all constituencies' results would be recounted on paper.

There are different ways in which that could be done. One could print the ballots behind a screen, so that the voter could not touch the ballot. Once the voter confirmed the ballot as correct, it would be snipped off and put into a normal ballot box. The voter would have no physical access to the vote but would be able to see it on paper.

When the Minister was here at our last meeting, he addressed some of the criticisms made of the system being introduced, in particular the lack of a paper trail. He stated:

If the High Court or Circuit Court at a local election petition hearing orders a recount of the votes, the system will print a ballot paper for each vote cast, which will have two numbers on it - a computer number created after the votes are mixed for the whole constituency, and the number of the count at which a vote was transferred. Consequently it would be possible to manually recount the votes if required.

If the Minister says the system can give a print-out of the votes cast, how does that differ from the voter verifiable audit trail that is proposed? That is my first question.

As regards the source codes, it has been suggested that if they are released, instead of providing adequate security, that will raise the possibility of corruption of the system. If people know the source codes they can have access to the system. What is the answer to that question? Do I understand correctly that what is being suggested as a positive alternative to the present system is one where the voter would still manually mark a ballot paper and this would be scanned at a count centre? This strikes me as a time consuming way of counting. Under the existing system a count can take up to 12 hours minimum on a good day or longer——

First, the audit trail provided by the Nedap-Powervote system does not add any advantages. It just prints out the contents of the ballot modules. If one does not trust the contents of the ballot modules one cannot trust the print-outs. The way it differs from a voter verifiable audit trail, which is what I propose, is that with the latter the voter sees his or her vote on a piece of paper put into a ballot box. Each voter can be assured that his or her vote is recorded correctly, which means we can be sure everyone's vote is recorded correctly. That is where the difference between the two systems lies.

Exactly. If the record on the ballot module is incorrect, then the print-out will have exactly the same mistake in it.

To open the source code to public scrutiny should not reduce the security of the system because if it is secure at the outset no one will be able to find any flaws in it through the source code. Having the source code open to the public does not allow more access to the machine. To change what is on the machine, one needs to have physical access. If there are errors in the source code when it is released, however, then it is much more likely that someone who is interested will find those because there is a big difference between one software company reviewing the source code and hundreds of interested Irish citizens doing this. It does not reduce the security in any way. It might highlight security problems in the software, but it is not going to reduce the security of the system. If the system is insecure it is insecure. To release the source code will not make it insecure.

On the Deputy's third question, I have not calculated how much time would be saved by scanning ballots. It is used in the United States, in some states. There are machines which can automatically scan ballots. A pile of ballots could be put into a machine and they would be fed through automatically. It would be faster than a manual count, particularly since the count itself takes a short time on a computer. It is the kind of thing computers do well. The time consuming part of that operation would be the scanning. It would be significantly quicker than hand counting ballots.

I presume this issue of the sort code is somewhat like asking a car salesman to open the bonnet of a car before one buys it. I do not want to suggest that the Minister for the Environment and Local Government, Deputy Cullen, is a used car salesman, but it seems to be analogous.

Continuing with these analogies, the system that Ms McGaley suggests is somewhat like doing the lotto, seeing the card before it is punched into the machine. In this case the card is given over to someone for safekeeping. One actually sees a non-electronic version of it before finally surrendering the ballot paper. Am I correct in that?

So the technology is there to do this. That was a cause of concern. If the technology is there it is worth bringing it in. Another question is whether people will be allowed access to these machines to see what damage they can do to them. I believe the phrase is "penetration test", where the vandals are let into the phone booth, as it were, to see what damage they can do, so that a better phone box may be designed as a result. Has there been any testing of this type, where the hackers are allowed to do what they want with the system? Is Ms McGaley aware whether this type of testing has been done?

In connection with the print-out ballot, Ms McGaley says a person may cast his or her vote electronically, after which there will be a print-out ballot. This would not be accessible to the individual. It would then be put into a ballot box. Therein lies a problem immediately. A person could jeopardise the voting system by voting and then maintaining that this is not the recorded vote that he or she put in the computer. A system could be orchestrated that could create difficulties: a person goes in and casts a vote and then denies that what is on the ballot paper is the vote which was cast. This could be replicated over and over. It could create difficulties. Who will verify whether the vote registered electronically is the same as the vote cast on the ballot paper? When does the verification take place?

While Ms McGaley has outlined issues of concern, has she ever come across a system that has failed as regards this type of electronic voting system? NASA lost two of its space shuttles, Challenger and Colombia, so no system is 100% guaranteed. Has there ever been a failure as regards electronic voting with the capacity to change the outcome of an election on a national scale?

My final question is about penetration testing. These electronic voting machines are not inter-connected. They are brought to a polling station and placed there in isolation. A person casts his or her vote. The only way a person could hack the system would be with a hatchet. It cannot be accessed through the Internet or anything for hacking purposes. The only way it may be tampered with is either at the production or design stages. A suggestion has been made that there is potential for hacking. How can one hack a system that is not connected to the Internet? Will Ms McGaley please elaborate?

Hacking is not what we are concerned about, since the vast majority of successful attacks on computer systems come from inside. Why should I believe that every Nedap employee is trustworthy? I am not suggesting the employees are not trustworthy, but there is no reason that I should believe that they are. The real concern is that along the production line something may be changed or an error introduced to the system completely by accident and the change will never be discovered. That, rather than hackers, is the real concern.

We must assume it is possible to have errors in electronic voting systems and safeguard against them. In the United States there have been real concerns about the results, for instance in the recent election in Fairfax, where several voters claimed their vote had been changed. They entered their vote on the machine, but a particular candidate's name disappeared from the cast vote. When the officials tested a machine, they could see the particular candidate's name disappear approximately every hundredth vote. This is of serious concern. In Texas, in three separate polls in separate precincts candidates from the same party won with exactly 18,181 votes.

The validation of votes does not arise in the paper ballot. If a voter claims under the proposed Nedap system that the machine will not allow him to cast his vote correctly, how would that be dealt with? Does he call in an election official, and lose the secrecy of the ballot? This problem is introduced by direct recording electronic systems, not by the paper added to them.

Another analogy is the deck of cards. If you were playing cards against someone and he would not allow you to look at the deck before you started, would you not have serious concerns about that deck? There are good analogies to indicate why we should be allowed to view the source code and satisfy ourselves about it.

On the question of postal votes, where someone fills out a ballot paper and it is fed into the machine, can those votes be validated by the original paper if the machine gives a total print-out? Would it be better to have a print-out to validate the votes cast than the proposed system? Would that be a safeguard, as Ms McGaley stated?

With a postal vote, the voter marks a ballot paper and if it is subsequently fed into the electronic voting machine, is there a way of validating postal votes under the proposed system? If there is a recount, the machines produces a full new vote for each vote cast, but it does not come back to the postal voting system.

We may try to get them to do something in the right way, but they may do it correctly or incorrectly. In my considered view, we are at the start of an escapade, from what I have seen so far of electronic voting. The people who will see the machine for the first time will look to see who made it, where it came from, and what button to press and there is every chance in the wide earthly world they will press the wrong button. If I gave an accordion to somebody who had never before played it, do you think he would play The Stack of Barley or some tune like that? He would make a noise when he pressed the buttons, but that is all. My view is that in the last hour of voting, the people will make noise with the machine but will not hit the right keys.

The Department of the Environment, Heritage and Local Government officials outlined to the committee the benefits of electronic voting machines, but some committee members expressed doubts. Today Ms McGaley is voicing her doubts on the system. When we meet again, would it be possible to have both departmental officials and Ms McGaley attend a committee meeting so that we have an open and proper debate on the matter?

I thank Ms McGaley for her presentation. Is it correct to say that Ms McGaley is concerned that somebody may tamper with the process during the manufacture of the voting machines? The Minister issued a statement some time ago that a specific security code can be put in place at all stages and that voting machines and count pieces are completely stand-alone and therefore free from the Internet. Are we saying there is a grey area where somebody could tamper with the machines during the manufacturing process? Is Ms McGaley satisfied with every other aspect?

I am not entirely satisfied with everything else. I think the possibility of tampering at some point in the process is the biggest issue, but the one simple way to safeguard against any type of tampering is by introducing a paper trail. One can forever cite possibilities of attack, when and how people could get into it in Nedap, but the one simple way to cover all the possibilities is by the introduction of a paper audit trail. I as a voter must trust politicians.

On the question of tampering with the voting machine during the manufacturing stage, you would have to assume that the person who would tamper with it would not be aware of which candidates were standing in the constituencies where an individual voting machine would be located. While they might tamper with the machine, they could not maliciously falsify the outcome of an election as they so desired. Is that correct?

They could put in checks. The machine could check for a particular political party and alter the results based on that. The information on the candidates will be in the voting machine while it is being used and the person who is tampering with it could prepare certain categories of change. For example, it is possible to say that every fifth vote or every hundredth vote for a candidate from Party A should be changed to Party B. It is possible to do such things and one does not need to know the specific candidates while making the changes. I have not seen the sort code system as it is not publicly available. I feel sure that is possible.

Will Ms McGaley confirm that my interpretation of what she is saying is correct, that in the absence of a source code and in the absence of a paper audit trail she does not have confidence in the system being adopted here, that she believes there should be wider consultation with experts within this jurisdiction and that there should be a cancellation of electronic voting in the local and European elections next June until such time as there is a full and proper investigation of the whole system by an independent group of experts? My interpretation of what she is saying is that there is an absence of trust by experts, within this country, in the manner in which the process has been pursued to date.

Is it appropriate for a Department with a political head to drive this project rather than an independent electoral commission? Should serious consideration by given, if not by the Government parties, by other political parties not to participate in electronic voting until this whole mess is sorted out? I mean mess, because to date €38 million has been spent and there has been no consultation whatsoever with parties other than what has happened here during the past few days.

I would prefer to see this run by an independent body outside of the Government. I do not trust the machines as they stand and I will not trust them until they show me a paper ballot of my vote. I will not trust any electronic system until I see my vote on paper go into a ballot box. I am not alone in this. Nearly all the opinions I have read from people with experience in computers have said this is a serious issue and that electronic voting systems cannot be trusted without paper trails. At the back of the handout there you have opinions from some experts - Ross Anderson, Cambridge University; Jason Kitcat, an English software developer; Rebecca Mercuri, who has been working on electronic voting for more than ten years and is probably the foremost expert in electronic voting, and Dr. David Dill of Stanford University - all of whom say this is a serious issue and that we cannot trust electronic voting systems that do not provide a paper audit trail.

There would be many academics and many computer professionals with long-standing careers. I have not spoken with members of departments outside my own department. Certainly all the members of my department with whom I have discussed it agree this is an important issue and that we cannot trust it without paper.

On behalf of the joint committee I welcome Mr. Shane Hogan and Mr. Robert Cochran to the meeting. We shall have a presentation from the witnesses followed by questions from members of the joint committee.

I draw the attention of witnesses to the fact that members of the joint committee have absolute privilege but the same privilege does not apply to witnesses appearing before the joint committee. I remind members of the long-standing parliamentary practice to the effect that members should not comment on, criticise or make charges against a person outside the Houses or an official by name or in such a way as to make him or her identifiable.

On my own behalf and on behalf of Mr. Shane Hogan, I thank the joint committee for inviting us to come and speak here. Perhaps I can make one or two preliminary comments before commencing our brief Powerpoint presentation of four slides. I shall deal with the first part and my colleague will deal with the latter part.

By way of introduction, we are both very experienced practitioners in the IT and software area, Mr. Hogan has over 25 years' experience and I have over 30 years' experience. The joint committee may be interested to know that I was the consultant called in by the then Leader of the House in 1984 to conduct the first study of computerisation of Leinster House. I have much experience in dealing with technology and its impact on public policy areas both in Ireland and elsewhere.

Another preliminary comment I would make is that it has been mentioned outside this House, in a somewhat disparaging way, that we are members of the Labour Party. Yes, we are, and this is the reason we were asked by Deputy Gilmore to write a report. We have written our report as IT experts and we speak here as IT experts, not per se as party members.

Thank you, Chairman, but I wanted to make our position clear. I want to make one other general comment before I commence my presentation. As we are experienced IT professionals, we are very much in favour of the technology in general. We make our career out of the technology - we earn our living from it. When the idea of electronic voting was raised, the initial reaction of both of us was very much to welcome it. However, as we examined it we became increasingly concerned about a number of aspects of it. That is from where our report arose.

In general, the system proposed for Ireland is considerably better than the systems used in the USA, as there was some discussion about the position in the USA. Despite the fact that the system proposed here seems to be better, it still give rise to some issues of concern with which we would like to deal. We will not cover the same ground covered by the previous speaker. We generally endorse what was said, and we will also seek to add to it.

We start from the basis of considering that any electoral system must have strong support and perceived trust by the electorate. Fortunately in Ireland we have a system in which there has been strong trust, mainly because it has been a fair, open and transparent one in everything from the tallymen at elections, to observers at count centres, to the exemplary record of the returning officers over the years, which has been acknowledged.

This is where we are starting, but on the other hand we recognise that candidates' elections have been decided, including very recently, by a handful of votes. Members will be conscious of recent cases in the High Court in this regard, and we know of others in the past. Therefore, it is important we should get this system exactly right because it could be the last few votes which make the difference in respect of a handful of seats and potentially the composition of the Government. It is essential that any new system is transparent and maintains the trust that has been there historically. Our thesis is that in a number of important aspects it does not do so.

Allied to that, as we all know, unfortunately there has been a decrease in the number of people who vote. People are losing faith, to a certain extent, in politics. If we introduce a system which they do not trust or with which they believe there is a problem, that problem will be exacerbated, which will create a further difficulty. We are asking people, to a certain extent, to take a leap of faith with this system, but it may be a leap too far. Mistakes have potentially a high impact in this regard, and therefore it is important to get this system right.

I want to outline some general concerns about the new system, some of which overlap a little with the previous presentation. In many respects, the system is not transparent to the voters. In many cases, it is literally a black box. A voter will press the button, something magic will happen and the result will come out the other end. The ordinary voter will not see or understand what will happen. That may be a concern unless voters are sure that what will happen is 100% exact and correct.

With the manual system, there is the well trodden path of recounts, recounts of recounts and so on to ensure that the result is right. Effectively, it is a form of audit. Most businesses will have their accounts on computer and there is a legal requirement that one must have a paper audit trail to ensure that one can, if necessary, check the original paper records and ensure that the accounting system and books of the company are correct. In a sense, all we are asking for here is something equivalent to that. If every business considers that is necessary, why should it not be considered necessary in respect of the national voting system?

Yes. Having examined the way the system has been run in the pilot centres, we were concerned that there is an extreme lack of a formal control process and procedures in place. At this stage there is no security plan in place. I am not talking about the innards of the machine but the procedure governing how the election is carried out. At the last meeting, the Minister promised that there would be such a procedure in the new year, but as of now - this has been confirmed by correspondence with the Department - there is none. There is a considerable lack of what I, or any person in my capacity, would regard as normal, good control procedures for the manner in which this process will be carried out.

As members will be aware, a number of independent consultants were called in by the Department and we will talk about those in more detail later, but in general the attitude of the Department seems to have been that these concerns were merely nit-picking and not a real problem. However, we disagree. We think that they could give rise to real problems. The fact that the results of the findings of those consultants have been largely ignored is a matter of concern to us.

The work of those consultants and other activities that have taken place have tended to examine isolated bits of the system such as the machine, the software and various other aspects. There was little, if any, examination of the totality of the voting system in an integrated end-to-end way. Anybody in our business would recognise that one can have all the bits of a system right, but when one puts them together the system may not be right. That area has not been adequately addressed.

The stated financial economies it is expected will accrue from the introduction of this system are not at all apparent to us. There will be savings in paper costs and fewer staff will be employed at count centres, but from our analysis considerably more staff will need to be employed at polling stations. It seems a saving is being made in one area but the system will involve a higher cost in another area and how that will lead to a net cost saving is not clear to us.

I want to put in context the feedback from the Department and the Minister on the work of the six independent consultancies, or the other parties, which have been involved in reviewing the system. In particular, and this is probably the most important point, there has not been a holistic review of the system end to end. No independent party has examined the selection process, for example, as to why a supplier and machine were picked. No independent review was carried out of the value for money aspect of the system, of the software licensing or of the proposal to transfer data between different systems on floppy discs and CDs. There are large gaps in the reviews that have taken place so far. Each of the consultancies reviewed individual pieces of the system. In some cases, water drip tests and knocking-off-table tests were carried out which, while important, are hardly absolutely critical in the overall scheme of things.

I want to point out specific points regarding those tests. The Electoral Reform Society, the ERS, reviewed the count software and, as was acknowledged at the last meeting, the randomisation, or the feature which mixes up the votes before counting, was disabled for its tests. The reason for that was explained at the last meeting, but that still does not get around the fact that software will be used in our electoral process that has not been tested on the manner in which it will operate in the live environment. It was tested in one way, but there is a key feature in the live environment that has not been tested. That strikes me as being quite dangerous.

The ERS report states that the risk of failure is quite low, probably fewer than one in 1,000 elections, which might sound reassuring. To put it in context, each member of the committee may think, as the lotto advertisement has it, "It could be you." The Chairman's vote could be the one in a thousand not to be counted correctly. I share his views on the system.

Or is counted twice. There is more feedback from the other reviewers. Nathean reviewed various pieces of the system. One of its initial points of feedback stated: "In general the source code has been well written and with a few exceptions seems to implement the count rules correctly." That is hardly a ringing endorsement and not the kind of stuff that comes out in the press releases from the Department of the Environment, Heritage and Local Government. These are the words the independent consultant used. There is another quote from a more recent Nathean document: "Nathean Technologies Ltd. believes that a more secure database may be warranted. We feel that those with an agenda of criticising the system cannot be argued with on this issue." These are key points from the independent consultant.

The Zerflow report was mentioned earlier. I know Zerflow issued a document in July of this year, a type of update on their findings. While it considers some of the issues, it does not address all the earlier findings. Three examples will suffice. It had an initial finding about recommending a perspex cover over the ballot card, about the 56-candidate limit in elections and about the lack of audit trails if candidates got mixed up or positions were switched. None of those items was addressed. The positioning that Zerflow has signed off on it is absolutely happy about. It certainly has not addressed these issues.

On a point of information based on FOI responses to some other parties, up to 13 November contracts for the system had not been signed in the Department of the Environment, Heritage and Local Government. Letters of intent had been issued but contracts had not been signed, so there may be an opportunity to act quickly to do something about this, without spending all that money. Our recommendation, as made in our original report, was to freeze the status of any further roll-out of electronic voting until these important issues are addressed.

We recommend that a voter verifiable audit trail, as Ms McGaley clearly explained, should be implemented. The Department of the Environment, Heritage and Local Government should investigate whether this can be retro-fitted onto the current machines. I would be surprised if it could, but I do not know. The manufacturers can give that answer, but that should be investigated.

The issues from the Zerflow report which have not been fully responded to should be clarified and addressed. Complete in-depth testing needs to be done, including the end-to-end testing mentioned by Mr. Cochran. Just to clarify, the trials that were done in the other constituencies do not count as end-to-end tests because the inputs are not known. A test means a set of known inputs are fed into the machine and what comes out at the other end is looked at. With the trials that were done nobody knows what each of those voters put in, so they do not count as end-to-end tests.

There should be statistical analysis of the randomised features that were switched off for the earlier tests. They certainly need to be checked so that it is understood how they will impact on the results. It is not something that is difficult to do. It would mean running a large number of counts through the system, but as the counts are done quickly, that would not take weeks. That kind of analysis is required.

The multi-election functionality was not tested or involved in the earlier trials. We have seen some departmental documents that refer to multi-user functionality, having multiple users at a count centre accessing a single database. That needs full investigation, as something new and a potential danger in the system. Likewise for the database security; we have seen some departmental papers referring to data transmission functionality and possibly sending results by e-mail or by phone. We have all seen further documents contradicting that and saying it will not happen for next year. However, there are references to that in departmental documents and those points should be clarified.

Our final recommendation, touched on by earlier speakers, is that control of this process should be put under some independent body, possibly the Standards in Public Office Commission. Members may have seen announcements from the UK on Monday. The UK Electoral Commission, which is an independent statutory agency, made the decision on Monday not to use electronic voting in their local and European elections next year. This is a decision from a statutory agency. It is not in any way political or tied into government ministries. It is a decision by an independent agency and that is the type of decision-making authority we appear to lack here. Those are our recommendations.

I am puzzled by the statement that contracts were not signed up to the 13 November. In the evidence the committee heard from the Minister, both in his last appearance and when we discussed the Zerflow report, I got the distinct impression that contracts had been signed. A €38 million contract for machines was talked about. The committee was told the machines were in Ireland and ready to go. In fact members were shown one last week. The distinct impression was that the contract was in place and that the machines had been purchased. The committee discovered on the last occasion that the €38 million was spent. Members expressed surprise at the time that the Department of the Environment, Heritage and Local Government had gone ahead while this committee was examining the situation. The committee discovered a further €4.5 million contract had been entered into as regards PR and selling the system. Some members expressed concern that this contract should have been entered into, aside altogether from the individuals who got it, while the committee was still investigating the situation.

That makes it even worse because the Minister knew he was coming before the committee. If he had not signed contracts by 13 November he had certainly let the horse bolt before he met this committee because between 13 November and the date he appeared he had not only entered into a €38 million contract for the equipment, software and whatever, but signed a PR contract for €4.5 million the day before he met us to sell the whole concept to the public. I had reservations about the individuals who got the contract and I asked for details as regards the procedures adopted.

I find it appalling that €42.5 million has been spent and this committee has not yet concluded its examination of the situation. It seems that the Department of the Environment, Heritage and Local Government did not even consult with Irish experts on this situation. I agree that this committee must make some statement at this stage on the ongoing rush to spend money while the system is being examined by members. If there is not a statement, asking for a freeze on all moves by the Department of the Environment, Heritage and Local Government in this regard, the committee's work will be academic.

There is the issue of the independent body to oversee all of this. This is something we must adjudicate on also. As regards the independent audit and supervisory roles, could the witnesses give the committee more information about their proposals in respect of these?

We do not have a detailed proposal. The UK is a good model with its Electoral Commission as a separate statutory agency. The board is appointed, but its operation is independent of government. This commission is clearly empowered to make decisions and it decided on Monday to defer electronic voting for the local and European elections next year.

I accept the bona fides of the witnesses on their evidence while taking account of their position as the authors of a report commissioned by a political party. The submission by this group rests comfortably with Fine Gael. The party feels the democratic process is sacred. Any changes to it must be made with the full participation of all parties in the democratic process. My party has been totally excluded. There would have been no discussion on this matter if individuals had not raised it here in committee and at Question Time in the Dáil. Parties were not invited to become involved and no effort was made to establish an independent electoral commission to oversee the process.

Given today's evidence, the process should be stopped in its tracks and frozen until such time as it can be assessed by experts who are more qualified than we are to do so. We are lay persons undertaking a political role but we must employ some experts to assess the evidence being supplied to the committee, which includes many technical data. We must be given time to assess the overall situation. We are only seven months away from an election, yet we are being asked to race into introducing a system which has thrown up major questions. The system is being introduced unilaterally by a Department whose political head has a vested interest in it. In view of the evidence that has been given today, in the interests of democracy, the Government should call a halt and give us time to sit back, assess the situation, and then offer a balanced and reasoned judgment on what we are being asked to do.

When the Minister was here at the last meeting, he placed much emphasis on the procedures. I understood him to mean that the procedures were in place with returning officers for matters such as making sure that the right ballot module went into the machine, that there was no tampering with it, and that they were then transferred to the count centre. I have discussed this matter on a number of occasions with Mr. Cochran and Mr. Hogan, but members will appreciate that I am genuinely surprised to hear that. I would like to hear more about the statement that the procedures are not yet in place.

Two scenarios are of concern. If somebody wanted to take a shortcut with the democratic system, and decided to plant one or two people in the employment of Nedap-Powervote, or whomever is making the software, is Mr. Cochran saying it would be possible for them to doctor the software in such a way that it could give an outcome that would be triggered by the name of a political party, as distinct from the names of candidates?

Depending on the degree of trust people have in everybody currently engaged in the electoral process, the second and more likely scenario might be that a mistake could be made due to an error in the software. The Minister stated the last day that Nedap-Powervote states the software is 100% accurate but how do we know that? We may hear these assertions but how can we check the matter? How does the IT business check it? We were told, for example, that under this system it could not happen that every hundredth ballot missed a particular candidate but how do we check that it is accurate? How can somebody check the assertion that the software is 100% accurate?

"Bug" - an error, effectively. The question is whether they are important errors or insignificant. Will they cause us serious concern about the system or not? They are there, however, in all software. One can take steps to minimise them through rigorous testing techniques, although one will never eliminate them totally. I do not want to get into the technicalities of doing that, but we have not seen any detailed test data or results that have been carried out by anybody. Maybe they have or maybe they have not.

Reference was made in passing to what are called formal methods, which are mathematical techniques that can address to a considerable extent aspects of this matter. There are techniques that can go a long way towards satisfying an independent technical expert that there are no significant errors, but one will never have 100% accuracy.

Could the software be doctored? Yes, if one can get access to the source code from which the working software is generated in the machines. This ties in to the question from the previous speaker who asked if the source code was secure. The point is that the source code, from which the binary code that runs in the machine is generated, would be kept physically separate from the source code used to examine and test independently. If one gets access to what is run in the machines, yes, one could doctor it, in principle. It comes back to the principle of good security procedures. There are ways of ensuring that one has a master copy of software with which one is satisfied and one can take technical steps to ensure that the software running in every machine is identical to that. I do not want to get into the technicalities of how that might be done, but there are technical measures for doing it. If one can get back to the original place where the code is written, one can deal with it.

As regards the procedures, from the documents that we have seen, for example, the Department has confirmed that there were no security papers - and that is a direct quote - prepared for the trials that were done for the general election and the second Nice referendum. The guide for returning officers that I saw was a 20-or 30-page document. I saw one line about a password check on the machine, which to me would be grossly insufficient for the kind of control processes, including basic matters such as who can access the machine, what passwords should be used and how the machine should be checked when it is set up. The most basic of steps were not documented in the guide for returning officers. We understand that the Department is working on this and that a document is to come out next year. We look forward to seeing it. It was stated at the committee's last meeting that the document would be made public but it is unusual that no such documents were prepared for the trials.

The previous witness, Ms McGaley, talked about how software can be tampered with. That raises the spectre of a virus that might sleep in the programming software for a while and then come back to look for a particular party or candidate's name.

There is another serious deficiency in page 5 of the submission. It states it is possible the entire database on the count centre PC could be overridden. The traditional voting system involves elaborate procedures to secure the ballot papers in terms of how they are secured and who has access to them. A PC will sit on a table with its ports, CD drive and floppy drive exposed. Similar procedures are not in place in the electronic voting system. One could insert a CD and replace the access file on the hard drive, Matrix-style. Does Mr. Cochran stand over the statement that this could occur? Who will have access to the computer?

The traditional system contains a pyramid of checks and balances whereby the returning officer must listen to his or her staff and examine the ballot papers. Various reinforcing systems are in place, while the electronic voting system does not provide them. The Minister is saying "Trust us". Does it amount to that?

In essence, yes. The Deputy is correct that parts of the machines not necessary for the activity such as the floppy disk drive or the extra ports at the back of the machine are not locked or disabled. One could envisage a situation whereby somebody not physically connected to the machine could have access to a wireless card in the machine. It can be argued such situations are hypothetical and unlikely but they are possible. There are no measures in place to ensure they do not happen.

If a returning officer must call for technical help to deal with PC problems on the day, how will he or she know what the technician is doing? What will happen if the technician must insert a CD to load a new drive? There are endless possibilities, some of which can be addressed through security measures and control procedures that were largely absent during the trials.

One of the most striking statements made by Mr. Cochran is that no system or software is perfect. We could discuss the system forever and a day and there will always be somebody who will say it is not perfect and there could be a mistake. Ballot papers have been used for years and they have been tampered with by individuals in polling stations. The current system is not tamper proof. A number of polling officers who know each other well, for example, could decide to fill the ballot box with ballot papers after the polling stations closes. There is evidence this has happened. The paper system is not perfect and trust is required in all systems. One person tallies the votes and he or she must be trusted. People must be trusted somewhere along the line.

Is Mr. Cochran saying that because no system is perfect, an electronic system should not be used? If a proper electronic system is utilised and it is trusted, it should work well.

A different system pertains in Deputy McCormack's constituency. There is not a garda in every polling station in my constituency, Cork North-Central. Reference has been made to officials and vested interests. Departmental officials are trying to implement a new system and, as we try to tease out potential problems, there is no need to set up independent commissions to tease out the difficulties. Departmental officials deserve a little credit.

Deputy Kelleher is correct that it comes down to trust. The electorate trusts the current system, irrespective of the stories that have been related about what happened in the dark old days in polling booths. Every count centre is packed with people who watch every ballot box as it is opened and they trust the procedures. They tally the votes and, if there is a significant difference between the tally and the result, a recount can be sought and the ballot papers can be checked again before the general public. There is trust in the current system and it is essential there is trust in the new system.

Unfortunately, we are at a stage in our political development where the public has less trust than it used to in anything involving politicians. I do not cast aspersions on the Minister for the Environment, Heritage and Local Government, who is leading the change, but it might be better if an independent body did so because the public might place more trust in such a body.

The system must be trusted by people in the long run and until an independent assessment of the electronic voting system is conducted and the doubt that the machine could be tampered with before it reaches the polling station eliminated, I will have serious reservations. I am wondering whether we are having this discussion after the horse has bolted and we are at the point of no return. We should hold up the horse for a while until we see how he is shod.

There is an element of trust in every system. There is a degree of openness and transparency in the current system that does not exist in what we are seeing today. If, for example, there is a High Court injunction, an inquiry or a High Court ordered recount, in the current system one can go back to individual ballot papers and mark registers. Under the proposed new system, one can only start with the record as it is on the count centre PC. One cannot go all the way back because there is no paper generated which the voter has seen and approved. Once the result comes out, there is no going back. Once the result comes out of the machine one cannot go back and order an inquiry or change the result.

Perhaps I can go back to the point about the independent body overseeing the project. Various issues that have been discussed by ourselves and the previous speaker would be eminently suitable to be overseen by a body such as the Standards in Public Office Commission or whomever is appointed to do so. If the source code is made available for public scrutiny, one would need to oversee the process. Perhaps the SIPO could carry out this function. If there is a need for independent validation of the security of the system, one would need an independent view. There are lots of good reasons for doing so.

It has been done elsewhere. The Australians opened their source code for public scrutiny. Even though it had been thoroughly tested before being introduced, it showed up errors. If the system is open to scrutiny, hundreds of thousands of people will look at it to see whether it is doing exactly what it is supposed to do. It showed up additional errors that had not been detected by the initial tester.

The Association for Computing Machinery, the primary professional body for IT in the US, when commenting on the US situation, stated "Since computers are inherently subject to programming error, equipment malfunction and malicious tampering, we continue to recommend that a voter verified audit trail be one of the essential requirements for deployment of new voting systems." This is a fair summary of what we are saying here today.

I thank Mr. Hogan and Mr. Cochran for their presentation and for dealing with the questions.

The joint committee went into private session and adjourned at 4.25 p.m. until 11.30 a.m. on Thursday, 11 December 2003.