Worrying news from Scotland

This is a story that wasn't exactly high profile but is worrying.

Scotland is trialing a new electronic vote counting system for local elections. On the face of it this might sound sensible speeding up counts by moving to a centralised electronic system at 32 centres across the country.

Of course even with the best will in the world it isn't as simple as that.

I start from the premise that elections are very important.  It is also important that every candidate is able to track the progress of the count and be satisifed that it is fair.  This is the strength of manual counting, you can watch each step and challenge the mistakes that inevitably occur and overall if everyone (including observers) does their job we can be fairly confident of the result.

The issue with electronic counting is it removes the ability of those at the count to challenge and check.

One nice feature about hand counts is you can see the stacks. This is clear in single member FPTP, but even in a STV elections you can see the stacks as they are broken and resorted.  You can get a feel that the result is correct.

If this is done electronically then you have to trust the software and hardware.  There are two key reasons not to do this with the software:

1. Malice
2. Incompetence

To get round allegations of both the code and tool chain would need to be open to scrutiny as widely as possible.  Certainly every political party must have access to the code.  But even this is not enough, if you don't believe me have a look at the results of the "obfuscated v" competition. If you know C have a look at one of the entries, and explain why it adds votes for Kerry and Nader to Bush's total  on November 2nd but not on November 1st! Also explain why it works differently on different operating systems. Even ignoring the possibility of malice, bad coding is not unknown to result in bugs that could do similar things. (Many of the entries in the contest use buffer overruns, the same sort of bug that is behind most web site hacks -- not an uncommon event.)

The code itself is also not enough as other entries show: you can use the build process to change source files, and this can also be hard to spot in a large enough software project.

Finally will the system be secure enough to withstand a malicious agent. I presume an air gap will be mean you have to be at the count (but that may not be certain), but how secure will the system be to someone trying to break into it?

A secondary, but also important issues is access to the count.  I don't know if the 32 locations will be a reduction in the number of locations, but if it is then it needs to be handled carefully.  Whilst Scotland and England have very different populations, and so more travel is inevitable than would be usual in England it has to be possible for candidates and activisits to get to the count.  They also need to be able to cope with the number of observers needed for reasonable scrutiny. If this change reduces the number of scrutineers it is undesirable for a robust democratic process.

Elections are too important for this.

(As an aside, clearly the big news story at the moment is the London riots, but I think letting the dust settle is the best idea at the moment.)