Finnish Court Dismisses E-Voting Result 114
wizzor writes in with a follow-up on the Finnish municipal election in which 2% of the votes were lost by a defective e-voting system, and which the Helsinki Administrative Court had found acceptable. Now the Supreme Administrative Court of Finland has rejected the election results (original in Finnish; bad Google translation here) and ordered the election to be re-run. The submitter adds, "Apparently 98% of the votes isn't enough to determine how the remaining 2% voted, after all."
2% were lost... (Score:5, Insightful)
Re:2% were lost... (Score:4, Funny)
Depends how well they were "calibrated"...
Re: (Score:3, Insightful)
If 2% of the votes were lost, how many were incorrect or not registered properly? If the system can lose votes, it can very easily put them for the wrong person as well...
All of them. The voting device had serious usability issues, enabling people to get out of the booth without registering the vote.
Re:Usability Glitch? (Score:5, Insightful)
by Antique Geekmeister (740220) on 2008-10-29 8:47 (#25552091)
The card should have been locked into the machine until the voter said 'OK' or cleared the screen, and locked it in with an alert and a deactivation warning if the person left the booth without doing either. Anyone can get confused about simple directions for an entirely new system. How many of us have tried to walk away from an ATM with our card still in it because we were distracted?
Re:2% were lost... (Score:5, Insightful)
Re: (Score:1)
In this case the error was evenly distributed, because it was caused by bad UI design. The voters could pull off the card before they finished their voting process.
Re: (Score:3, Insightful)
Uh, no
You don't think there may be differences in how people who are "elderly or those who work in schools", "usually unemployed or work non-standard hours" and "usually work a regular day job" might react to bad UI design?
(Using the categories proposed by GP).
Re: (Score:1)
2% creates doubt and mistrust (Score:3, Insightful)
2% creates doubt and mistrust in the election results and that is unacceptable. What if the votes were lost in a non-random fashion? What if the same e-voting system gets reused later in a case where 2% could mean the difference between a seat going to one candidate or another? What if the root cause of the loss caused other problems as well? What does it say about the quality control and security of the system? People should be able to trust the outcome of an election.
Where do you draw the line? (Score:2)
If 2% is acceptable then what about 5%? 10%...? Where do you draw the line?
The running of an entire country is at stake here and 2% is certainly enough to show there's serious problems with the system.
Re: (Score:2)
As far as I know, the reason why votes were lost was that the voting system had a very bad UI. For the vote to be registered, you had to push an OK-button more than once *) - something that wasn't that apparent, and which all users did not understand to do. Also, when then removing the voting card from the machine, no indication was give
Re: (Score:1)
Re: (Score:1)
Re: (Score:1)
This glitch occured in Finnish municipality elections, where it is not uncommon to loose or win a seat with a margin of a few votes. In one of the municipalities, which trialed e-voting, a party could gain a seat with as few as 130 votes. More importantly, in the voting list sytem the people who actually go into the office (from their respective parties), is decided by their relative popularity on the party list. Therefore, even a single vote can easily (and commonly) change *who*, from the party gaining th
Re: (Score:1, Insightful)
In Finland, average vote loss with pen & paper was around 0.5%
Re:What was the margin of victory? (Score:5, Informative)
If the margin of victory was greater then 2 percent,
It was not, as best as I can tell from the translation:
Kauniainen municipality electronically of the votes lost to two percent, and for missing votes in the number would have been enough change in the outcome of the elections.
Quick and dirty translation (Score:4, Informative)
The story isn't that well written. The system allowed the user to remove his ID card before the vote was registered. The lack of a paper trail is a large problem, and the lack of openness in the design doesn't help to gain the users' trust. Further, the system was designed by Tieto Oy (formerly TietoEnator), also responsible for the new systems at Sampo Bank (with numerous login problems, XSS exploits and such). Vestigia terrent.
Re:What was the margin of victory? (Score:5, Insightful)
In theory, because of the voting system used, 2% of the votes could have dramatic consequences. Of course, we'll never know because the votes are anonymous and the recipients secret, but if you think that quite a lot of candidates got in with just a few dozen of votes, you can clearly see how 2% could have determined a lot.
Re: (Score:3, Interesting)
If the margin of victory was greater then 2 percent, then it should be non-issue as far as who is in office. But it should be fixed for the next election.
There were several issues here. First, according to some sources, a few elections were close enough that 2% may have made a difference. Second, the machines put in place did not have adequate safeguards against fraud or adequate ability to do accurate recounts. The former is enough to have to do one or two elections over, but the latter was such that the people running the elections were declared to have been potentially acting in bad faith and the equivalent of a constitutional right to equal voting was vi
Re: (Score:1)
According to Sanoma sources, which in general are sufficiently reliable, especially in matters like this.
In general, we can take it as a fact that the missing 2% could have changed the results of the election.
Re: (Score:3, Informative)
In municipal elections of Finland, each municipality chooses it's leaders. The amount of depends on the size of the municipality but in mine (Vantaa), there are 67 representatives for less than 200 000 people and not nearly everyone votes (it's closer to 100 000 people voting).
Add to that that we use different system than the USA. The person who gets most votes within any given party gets all the votes given for that party. The person who would have gotten second most votes gets half of the votes given to t
Re: (Score:3, Interesting)
And besides that is not even the point in my opinion. I was candidate in our municipality (but not in those in question) and I couldn't care less if one or two votes were missing. The issue I think is that we can now point our fingers and say "There, there is the problem. Now fix it!" and because this was forced on us by our goverment it is the goverment's job to fix the problem. So it is no matter if 1, 2, 3 or 50 percent of votes were lost. Just fix the damn problem and be done with it!
Of course fixing th
Re: (Score:2)
With an error so large in such a critical application, you cant be sure that 2% is the correct number. A flaw this large calls the entire result in question, as it rightfully should.
Re: (Score:2)
Unless you're actually serious about the importance of voting, in which case the response here is very simple: Throw out the invalid votes (all of them) and re-run the election.
Re: (Score:2)
It is the Supreme Court's task, at least in other countries, to set the rules for once and for all, not to address incidents. Based on the available evidence, it has decided that such voting problems are unacceptable *in general*.
Voting systems matter (Score:2)
Most of Europe uses a proportional voting system. (Each voting district elects several representatives at once.) As far as I can see, Finland has one too.
A difference of just a few percent can shift a seat from one party to another.
how many coffin nails will it take? (Score:5, Insightful)
E-voting has had more lives than a cat. It should be over, done, kaput. An experiment that failed.
Re: (Score:2, Insightful)
It still amazes me that we put full trust (and R&D $$$) into electronic banking systems yet can't get the same technology to work for something as simple as counting votes.
Banking doesn't usually require anonymity (Score:5, Insightful)
Re: (Score:2, Informative)
This is actually a solved problem. When you vote, you get a unique random sequence of characters. After the election is completed, a list of all votes is published. Next to each vote, the SHA1 sum of the voter's personal ID number concatenated with the random characters is listed. Example (truncated SHA1 sums):
64038c437f2c republicans
aea7fb41626d republicans
86895065f8
Re:Banking doesn't usually require anonymity (Score:5, Insightful)
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
You don't need to. You just tell them to look up the hash in the local newspaper after the election (if they want to), and disregard the random numbers they got along with it. Other people will check that the hash matches the random number and social security number.
Re: (Score:1)
You DO need to. The reason democracy works is because people believe in it, see it work, and can understand it.
Things you believe in that you can't understand and can't see work are called RELIGIONS.
Re: (Score:2)
So driving is a religion? Most people don't understand how their car works either. They definatley don't get how the voting machine works.
Re: (Score:1)
Driving is not democracy. Do not confuse the two. Do not ask questions of me as if I am confusing the two. I am not stupid.
Re: (Score:1)
Crypto is not democracy. Do not confuse the two. Do not ask questions as if I am confusing the two. I am not stupid.
Re: (Score:2)
Unfortunately this enables coercion and vote-selling, as does any system that gives the voter a receipt that can be linked to how they voted. An Evil Election Stealer can say, if you vote for candidate X, everything will be fine. But please tell us the code that the voting machine gave you, so we can be sure you did what we told you to do.
Re: (Score:1)
Re: (Score:1)
The appended random characters make that impossible. Consider if they used id + random = sum, all just plain integers, no hashing (which is approximately equivalent given large enough range for the random values, I think). You know every possible id and every resulting sum, but you still can't connect them because you don't know the random number added to the id.
Here's the that would be data published: (in "sum -- voted for" format)
The voter IDs we
Re: (Score:1)
Nothing Informative here. Just a complete lack of understanding how voting works.
But it's GREAT if you want to have a DICTATORSHIP!
Re: (Score:2)
Do that and you don't have secret voting anymore. Sure a random person can't tell how another random person voted, but your union boss can see how you voted, or your boss, or your husband, or your pastor, etc.
Re: (Score:1)
Maybe I am overlooking something, but what is the point of hashing here? What is the gain compared with simply handing out a random number?
Assuming the number is not random or can be stored, the hash will not prevent a dictionary attack.
Re:Banking doesn't usually require anonymity (Score:5, Informative)
If you gave up secret voting, you could likely make a 'secure enough' voting system, since anyone could check their own vote in the system.
There's no need to give up on secret voting to get this. Thanks to advances in cryptography we can have secret *and* verifiable ballots. An example implementation can be found at Helios voting [heliosvoting.org]. Also, check out a description of a paper based system: Scratch and Vote [adida.net] [PDF]
Re: (Score:1)
Even if this works in theory, there may be flaws in the implementation. And even if implemented correctly, there may be issues with key management.
But most importantly, for 99,9% of the voters, it is impossible to understand the system, let alone verify the actual vote. Therefore, it is just a matter of time (or money) before some manipulation by insiders takes place.
Re: (Score:2)
Re: (Score:2)
But that raises the next question: Verifiable by who?
Saying that there are some experts who can verify the proper execution of an election simply isn't good enough, at least not if you want to call that election "democratic". With paper ballots marked with pens and placed in a ballot box, any voter of normal intelligence can observe an election, understand the security properties needed at each step, and see for themselves if those security prop
Re: (Score:2)
Utter bull.
The mathematics do not address situations like results of temporary calculations being stored in hard disk and never overwritten.
Re: (Score:2, Insightful)
To verify the system, only a small absolute number (not percentage) of people needs to verify it. Assume 1% of the votes are incorrect and 500 random (from the cheater's perspective) people verify their hashes. The probability that none of these are victims of a forged vote is 0.65%. If only 0.1% of the votes are tampered with, you need 5000 people to achieve a similar percentage.
You
Re: (Score:1)
Re: (Score:1)
Re: (Score:2)
But there's still room for tampering the votes. There's always the question about public trust to the system also. Let me clear this up a bit. Oh, and I'm a Finn...
Traditional pen & paper method is almost 100% fool proof system. It is almost impossible to tamper the votes and here's why: Every party sets their own observer to overlook the counting. Any foul play is quickly discovered by observers. In order to fool the system you would need to bribe a whole lot of people.
With computer based counting all
Re: (Score:3, Informative)
I'm also a Finn and I was counting the votes at the municipal elections in Helsinki late last year. The system is even more tamper proof than described previously. First of all, the ballot box is checked at the casting of the first vote that there's no extra votes within the box. The first vote is stamped (like the rest will be) and put in to the box. The parties have a right to set an observer for the whole time until the votes have been counted. The next day the votes are recounted (which is where I was p
Re: (Score:2)
Thank you very much! I wasn't in the know how counting goes in action and that cleared things up a lot.
Btw. I was counting votes last year in Kokoomus Puoluepäivät and there we had to disqualify, if I remember correctly, only one vote. I guess our party's voters are more adept in writing numbers. Just kidding... :)
Re: (Score:2)
Probably, not always. I have two years of commercial school behind and I'm myyntimerkantti ;)
Re: (Score:2)
weicco wrote:
But there's still room for tampering the votes. There's always the question about public trust to the system also. Let me clear this up a bit. Oh, and I'm a Finn...
Traditional pen & paper method is almost 100% fool proof system. It is almost impossible to tamper the votes and here's why: Every party sets their own observer to overlook the counting. Any foul play is quickly discovered by observers. In order to fool the system you would need to bribe a whole lot of people.
Another Finn here, and I agree with parent.
Electronic voting has been marketed as ultimately enabling voting by web, SMS, and whatever channels. The reasoning is to increase voting activity. The reason why it doesn't work is that it's not the process of voting that keeps activity down - voting cannot get much simpler and still stay reliable - but the substance of politics. They're seemingly after the votes of those who don't care who gets elected, or feel that there is any difference between ca
Re: (Score:3, Informative)
Internet-voting is absolute horror. It can be made technically sound but that's about it. Who can assure that it is my wife who gives the vote and not me who stole my wife's ID card or whatever (not that I would do so, just for example)? Who can assure that one isn't giving vote under physical threat? Rhetorical questions but current paper & pen method prevents these kinds of situations perfectly.
Re: (Score:2)
My state (California) allows me to vote by mail, which I love, and it's not as horrific as you make it soun
Re: (Score:2)
But that enables, for example, me to vote "in behalf" of the whole family in the next elections, wouldn't it?
In my opinion, of course, there are some problems with elections in Finland but I don't think the actual voting happening is one of them. We have elections once a year at max so I don't think it is insurmountable problem to get to the election site. You have something about two weeks time to give your vote plus the actual election day. If you are sick in hospital, you get the change to vote from your
Re: (Score:1)
So they just keep "two sets of books". One that is used for anyone inquiring about their vote and one that is used to report to the election commission that the highest bidder has won. Fraud is easily perpetrated on any "anonymous" system. Anonymity and verifiability are incompatible in a sophisticated system.
Re: (Score:1)
The real problem with electronic voting vs banking comparison is that banking has a completetly different aim: earning money.
Electronic banking is not secure. Period. E.g. in 2008, in the U.K. online banking fraud caused losses in the order of 50 Million Pounds. However, the banks still make a profit. ("It's just the cost of doing business...")
This kind of thinking is a bit problematic with voting.
Re:how many coffin nails will it take? (Score:4, Insightful)
It still amazes me that we put full trust (and R&D $$$) into electronic banking systems yet can't get the same technology to work for something as simple as counting votes.
"I consider it completely unimportant who in the party will vote, or how; but what is extraordinarily important is this--who will count the votes, and how." - J. Stalin
Electronic voting does not have an inherent paper trail.
Re: (Score:2)
Re: (Score:1)
Re: (Score:1)
(potentially) overjoyed (Score:2)
A pro-cycling candidate didn't get in because he was short just a handful of votes. Well, now they're organizing the voting again (from the article in Finnish (yeah, I'm one of those who actually understand that crazy language)) and my candidate has another shot at it :o)
Don't you love second chances?
Of course, the real reason I'm happy is that this absurdity with 2% invalid voting has been overturned. Everybody knew that Helsinki Administrative Court's (Hallinto Oikeus) decision was shit - so, I celebrate
Re: (Score:1)
Re: (Score:2)
How is it a second chance? There so far has been no first chance, since the votes made the first time around don't count.
Think of it as a chance for whoever is in charge of that election *NOT* to misplace 2% of the electorate.
Re: (Score:2)
Or viewed from the other side, a chance to participate in a fair[er] election.
Re: (Score:1)
A bold prediction (Score:5, Funny)
I bet Diebold, or Premier, or whatever it is that pack of cheats and liars are calling themselves these days, won't be trying to place their voting machines in Finland any time soon. I doubt they could attain 98% accuracy even with only one candidate on the ballot.
Re: (Score:2)
Re: (Score:2)
Since the election used a blackbox system (ie. no voter verified paper trail), we have no way of knowing whether the votes were recorded as cast or not. It's relatively easy to discover if the total number of votes recorded is inaccurate. Finding out whether they were recorded as cast is an entirely different thing.
The problem in this case appears to be a usability issue, so there is no reason to be more suspiciou
Re: (Score:1, Insightful)
When your company name is so sullied that you need to change it, you ought to realize that you have reached the end of the line...
Most still voted with traditional methods (Score:4, Informative)
Re: (Score:2)
Want to compile a list of companies with Finnish offices and a track record of solid, secure, verifiable e-voting systems with a tangible prototype to impress the decision-gorillas?
Give me 500EUR and I'll hack up such an e-voting system in one workday.
Why on earth is this not a trivial problem?
I am glad. (Score:1)
Re: (Score:3, Interesting)
"300 years"? Really. What, then, did the ballot act of 1872 [wikipedia.org] do?
And then there is the matter of numbered ballots...
From EFFI (Score:5, Informative)
Effi has an English article on this (Score:3, Informative)
Electronic Frontier Finland (Effi) has an English article [effi.org] on this matter as well.
More Info in English (Score:4, Informative)
More about the case in English
Yle News [yle.fi]
Helsingin Sanomat [www.hs.fi]
Newsroom Finland [finland.fi]
2% of the Vote? (Score:2)
And why should they be? Not every country has a 'winner take all' simple majority voting system. And even if Finland doesn't, every vote has to be understood to have been counted even if they didn't go to some arbitrary clear-cut winner.
Besides, that race might very well have been neck-and-neck. 2% of the vote either way might have decided it.
Re: (Score:1)
The loss of a single vote might have affected the results, given the Finnish system.
My city was one of the affected ones. In our city there were candidates A and B who got the same number of votes, both on the margin that you need to get in, and only one place was left. Only one made it to the city council, based on a toss of a coin by the voting board. If there had been one more on vote on either one, the random selection would not have been necessary.
Remember that we are talking about local elections and
How hard can it be to get this right? (Score:1)
Seriously?! More broken fucking e-voting machines? Who are these idiots and why can't they make a simple kiosk work? Why are they being paid to do this and why haven't I been hired instead? What am I missing out on here? Anyone? I *KNOW* that I could make a simple web app launched in firefox and attached to a locally-running apache instance on a linux box NOT MISS A SINGLE VOTE. I could even add touch-screen activation with the proper hardware. How hard can this be to get right?
Re: (Score:2, Interesting)
I guess the problem was that these people also "knew", and thus didn't see the need to actually test the interface on a sufficient number of people - There's a 95% change that at least 1 out of 150 random testers would fall victim to a 2% failure rate. If you allowed the testers to leave feedback, the mistakes could probably have been discovered a lot faste
Re: (Score:2)
Pick 150 random people from a "representative voter sample" of a population, like say 150 people selected for jury duty in new york city ("you people vote red.. the rest vote blue") and you are going to have more than 2% assholes that want the system to fail..
Re: (Score:3, Insightful)
It sure seems like an easy problem, doesn't it.
As a programming problem, it seems like an easy problem because it is. Thing is - it's not a programming problem. It's a security problem. As a security problem, the programmer is the most significant potential attacker. Does it still seem easy?
Re: (Score:1)
How does your system allow voting from multiple locations, prevent duplicate votes, prevent voters to be associated with their votes, etc?
It is funny, and perhaps lucky that they got the user interface work so badly botched. The user interface is the easy part. The hard part is getting the security right and the entire country-wide system reliable, and not allow any particular party (such as the vendor) steal the elections, or allow government to look at how you voted.
The system we used failed on all counts
How hard is it? (Score:1)
Re: (Score:2, Insightful)
Its actually surprisingly hard, if you start to think about it. If you compare to the paper ballot system, there are checks and balances. The different party officials and citizens can oversee the counting (in fact, they volunteer to do it). One corrupt counter does not break the system, however, because the others will catch him. And its very hard to cause a country-wide discrepancy.
If you compare an e-voting system to, say, a banking application, there's one big difference: in the banking application you
News in English (Score:5, Informative)
Finnish e-voting results annulled, municipalities to hold new elections [effi.org] by Electronic Frontier Finland ry (Effi), the best summary in English, IMO;
Helsingin Sanomat [www.hs.fi];
Helsinki Times [helsinkitimes.fi];
The Brad Blog [bradblog.com];
NewsRoom Finland [finland.fi];
YLE [www.yle.fi]; and
Turre [turre.com] (the lawyers that won the case).
The voting system was provided by Tieto [tieto.com] and Scytl [scytl.com]. In their News Page [scytl.com], Scytl declares: "Scytl's Pnyx.core successfully used in local elections in Finland" Shouldn't they update this...? It is even possible that the 2% of the votes lost was due to the Pnyx.core, instead of usability issues with the voting terminals, as has been commonly assumed - who knows.
Interesting facts about the case (Score:4, Interesting)
It is of course a completely correct decision from the supreme court to re-run the elections, and we are very happy about it.
But it has been interesting to follow the developments and the various attempts to avoid this outcome.
Before the elections, the minister of justice, Tuija Brax claimed any possible problems were "science fiction". After the elections and when the problems were announced, she has not been a support of new elections, just stating that the courts need to decide. However, she was quick to launch an internal investigation and fire the Director of Elections. Not sure the director was really the true guilty person here, but at least a scapegoat had been found...
The city voting boards very resisting new elections for the last second. They came up with interesting claims to prevent this from happening. One claim that we've heard often -- even after the decision -- is that the new elections do not matter, because the party situations would not change. Well, they were missing the minor issue that in Finland the election system is based on voting on persons, not parties. Some of us do care about who we vote there. A more sinister claim was that the voters had conspired to misuse the voting system on purpose, to show that it was unreliable (!). Now, talk about science fiction, maybe these guys could be of some use in the JFK murder investigation? Not to mention the fact that a correctly implemented voting system should not be vulnerable to such misuse.
The three cities involved are now extremely unhappy with the ministry, as the law requires them to pay for the new elections. The ministry has promised an extra budget to help out... though in my mind, the architects and vendors of the system should get to pay.
Its also been extremely difficult to get any information from the government on the details of the system. The local EFF wanted to take a look before the elections, but was refused (or impossible NDAs were requested). I made an official request to get the cost information of the entire project, and the government claimed that they have no such information. One number that has been circulated in the press was 700 000 euros, but that seems low, given that a large number of design and specification work went in, even at the ministry level not to mention the vendors.
All in all, a happy outcome:
- director of elections fired :-)
- minister is now pro-open source and paper trail
- general knowledge of possible problems in e-voting was increased in the country
- elections are re-run
However, everyone is quite focused on the specific bugs we experienced, thinking that individual bugs can easily be fixed. I'm more worried about the process and the way that these things are done. I don't see a way to avoid bugs next time either, for instance. Lack of verifiability, openness, government not listening to citizens or outside experts, blind acceptance of vendor sales pitches, lack of sensible motivation for the entire effort are the worrisome aspects.
Re: (Score:1)
One claim that we've heard often -- even after the decision -- is that the new elections do not matter, because the party situations would not change. Well, they were missing the minor issue that in Finland the election system is based on voting on persons, not parties.
The election system is primarily based on voting the party, and only secondarily based on voting the person inside the party. Thinking it's about voting a person is wrong, meaning it makes people vote for the wrong reasons, even against what they believe in. The vote goes first to the party, so first thing for a voter is to choose a party. Then the voter can choose a candidate inside that party to support, but that's not as important as choosing the party.
It's less important both because even if you favorit
English Article (Score:1)
Re: (Score:2)
Industrial Design 101: A system, such as a user interface, whether mechanical, software-based, or both, that allows a transaction to be left in an ambiguous state, is indeed a defective design.
At the very least, they could have designed it to warn the user, upon yanking out their ID card *mid-transaction*, with loud sounds and flashing screen messages. Or, to notify the voting administrators that a vo
Re: (Score:2)
Some ATMs are designed to perform in this way - your card is not returned until you have completed whatever function(s) you began.
So a person distracted with music or a cell phone takes their money from the ATM and for some reason runs off, leaving their card.
Around these parts it used to be that way, now it's the opposite: you make your transaction, and the machine spits out your card and prompts you to take it before it spits out the money and/or receipt. YMMV.
Re: (Score:2, Informative)
Please check YOUR facts first. There were several problems:
- bad user interface design
- machines freezing up at the critical moment
- machines crashing when presented with the voting card
- instruction leaflet asking the voter to press "OK" once when twice was needed
- secret, closed source design
- no paper verification
- no public review possible of the algorithms etc
Of course, the publicity around this case centers on the first issue, because its the easiest to understand. But there were other problems, too,