Anne-Marie Oostveen

Last week I gave a statement about remote electronic voting at the European Parliament. The Scientific Technology Options Assessment (STOA) workshop, organised by the Fraunhofer Institute for Systems and Innovation Research (ISI), discussed the opportunities and risks of e-voting and focused in particular on the question whether e-voting can increase electoral participation at European elections. “In view of the low participation rates in the elections of the European Parliament, voting over the Internet (e-voting) is suggested as a possibility of involving more Europeans in the political and electoral process. E-voting is regarded as an especially promising way to motivate younger voters to participate in the elections, because they are already familiar with using the Internet every day and for various reasons”. E-voting is also expected to increase turnout among other groups.

When I started my research on e-voting in 2001 the main reasons for governments to contemplate electronic voting systems was the idea that its convenience would lead to higher electoral participation. Another prediction was that e-voting would be a lot cheaper than traditional voting systems. Ten years on, we see that proponents still use the same arguments to push e-voting forward. Nothing has changed there! What has changed though is the more critical stance taken by academics. Most scholars involved in e-voting research (on both technical as well as socio-political issues) now acknowledge the problems with e-voting and are sceptical about its opportunities to increase turnout. Because there are not many countries that have used e-voting for longer periods there is very little empirical evidence that it would lead to higher turnout and lower costs. What is clear, is that there are still numerous risks related to remote e-voting (lack of transparency, insufficient security and anonymity, no possibility of a recount, coercion, vote buying, digital divide, loss of civic ritual, etc).

It is amazing that with so many risks and dangers, e-voting is still seen by many politicians and citizens as a silver bullet. Other technical systems would most definitely not be accepted if they had even a fraction of the risks we encounter with e-voting. Of course technical problems are a common occurrence and become even more frequent with systems becoming increasingly more complex. But usually these problems are soon detected and fixed. It is for instance unacceptable for car manufacturers to produce cars with technical issues. However, it does happen regularly that cars have faults and need to be recalled to rectify the problems. Recently, manufacturers have experienced windscreen wipers coming off (Jaguar), faulty airbags (Honda, Volvo, Hyundai), steering issues (Chrystler, Mazda, Mercedes), sticky gas pedals (Toyota), stalling engines (Honda) and brake faults (BMW). Obviously as a driver you will notice when your windscreen wipers fall off or when your airbag spontaneously inflates.

However, remote e-voting problems are much more difficult to detect. First of all, voters cannot be sure that their ballot was transmitted, even if there is no detected attack. Secondly, the required anonymity for Internet voting makes it difficult to trace errors and fraud. E-voters can not verify if their vote is correctly stored and counted. It is the nature of computers that their inner workings are not visible. Thus, it is not possible for humans to observe exactly what a computer is doing with their votes. Furthermore, as some of the speakers at the workshop pointed out,  there are many potential security flaws with e-voting because devices are used which can not be fully controlled: personal computers can be affected by viruses or Trojan horses and different attacks can affect the server or the connection can be spoofed and manipulated by third parties. In short, as the Fraunhofer researchers rightfully argue, governments today are not in a position where they can guarantee that the principles of general, free and anonymous elections and a transparent counting of votes can be assured in e-voting. A very scary thought! Hopefully the MEPs who were present at the workshop in Brussels are now more aware of the inherent problems with e-voting and will be reluctant to see it is a miracle cure for disappointing turnout figures at European elections. I am convinced that political apathy will not be solved by changing the voting process or voting methods.

The statements of the speakers have been filmed and can be seen on the website of the European Parliament.

The European Consortium for Political Research (ECPR) has recently accepted the proposal of a standing group on “Internet & Politics”. This standing group aims to link researchers internationally to create a consolidated network and exchange for Internet political research, in particular in the areas of e-democracy, e-government and governance of the Internet.

The Internet & Politics group plans to develop a number activities, including: the promotion of Internet & Politics workshops at the ECPR joint sessions; the development of panels at the ECPR general conferences; and potentially the organization of a summer school. It also seeks to help young researchers to become integrated into a network of European social scientists involved in the field.

Membership of the group is open to anyone with an interest in Internet politics broadly defined. Participation from PhD students is particularly encouraged. Researchers can join the group by completing an online form in the members section of the website.

If you are you doing interesting research on eGovernment issues you might want to consider submitting a paper to the International Journal of Electronic Government Research (IJEGR). As an editorial board member of this journal I have been asked to encourage my colleagues and contacts to send in their manuscripts. The IJEGR journal is looking for submissions that reflect the wide and interdisciplinary nature of e-government as a subject and manuscripts that integrate technological disciplines with social, contextual and management issues. For a list of possible topics, please take a look at the Call for Papers.

I am quite pleased about the fact that apparently more and more researchers seem to focus their studies on citizen needs. Editor-in-Chief Prof. Vishanth Weerakkody from Brunel University says:

“Most of the recent articles submitted to IJEGR have focused on adoption and diffusion issues of e-government services from a citizen’s perspective. This shows that the user related issues are very important and are treated as high priority by researchers.  This is particularly important as earlier e-government research (from 2001 to around 2005/6) has largely focused on the organizational and implementation side of e-government, while the focus is now shifting to adoption and diffusion from a citizen/user centric perspective.” 

Prospective authors should note that only original and previously unpublished articles will be considered. Interested authors should consult the journal’s guidelines for manuscript submissions at: www.igi-global.com/journals/guidelines.html. 

I live in a small hamlet north of Oxford where there are no visible blemishes on the God-kissed landscape. The rolling hills, the chocolate box cottages, the fields full of sheep…it all seems perfect. But the breath-taking beauty of the landscape doesn’t tell the story of the hardship of the people maintaining the fields, the fences, the hedges. Many of the farmers who work the land and rear the sheep and cattle haven’t made any profits for the last couple of years. The rising price of meat and eggs in the supermarket is not reflected in their income. Farming is tough business.

At the OII we are interested in the use of the Internet for everyday life. Since I have moved to a rural location I have gotten interested in the advantages of being online for farmers. Now that the necessary infrastructure is available all over the country farmers can log on and use the Internet for both their everyday life and managing their farming operation. Nevertheless, a study by Warren (2004) shows that less than one-third of UK farmers use the Internet for business purposes, with the worst levels of adoption for farms in the cattle and sheep sector. Although the research is somewhat dated, it still shows that there is a far lower rate of Internet use among farmers than in other small to medium-sized enterprises.

There is an online wealth of information for farmers from governmental sites to forums and agricultural magazines such as the ‘Farmers Weekly Interactive’. My guess is that most of the active users of these websites are relatively young. None of the middle-aged and older farmers in my community seem to use the Internet themselves, but this is nothing more than an anecdotal observation. Normally not shy of new technology, and gratefully making use of the latest farming equipment such as state-of-the-art harvest combiners, balers and tractors, using a computer poses somewhat of a problem for the older generation of farmers. I know that many have difficulties with reading and writing and would find using the Internet rather daunting and time-consuming. This brings me to the definition of ‘Internet user’. Is that a person who actually sits down at the computer and clicks around? Or does that also include my 70-year-old neighbour who specifically asks me to find him a DEFRA update on the latest bluetongue situation? Or who wants to know the precise regulations and specifications for building stiles? I am now subscribed to the Animal Health Disease Alert, have a login for the EBLEX Beef and Lamb Sector Company website and receive the Farmers Weekly Newsletter, all on his behalf.

A great help for my neighbour is to know what the daily average UK market prices of lambs are in comparison to his local market at Stratford. The prices of finished lambs and store lambs are readily available on the Net but would prove to be far more difficult to find offline. This ease of finding crucial data (albeit using me as an intermediary) means that he is well-informed and therefore knows whether to take his livestock to market or instead to sell it directly to individual traders. He has only recently discovered these advantages and now passes on the information he gets off the Net to his fellow shepherds and farmers. Luckily, besides showing that Internet use is very low under UK farmers, Warren’s longitudinal analysis also indicates that there is a clear rise in use of both email and WWW. Maybe, before long, my neighbour will be online himself using the Internet to apply for cattle passports or to look at Harvest Highlight pictures.

Students from the Radboud University in the Netherlands and the Lausitz University of Applied Sciences in Germany have shown more vulnerabilities with RFID technology. In a previous post I mentioned the problems with the new ticket system with embedded RFID chips for use by frequent travellers in the Netherlands, and the possibility to hack into the passes used to enter government buildings and other important locations. Now it is shown by Henning Richter, Wojciech Mostowski, and Erik Poll that there is a way to remotely detect the presence of an e-passport (a passport with an embedded RFID chip that carries digitally signed biometric information)  and to determine its nationality. With quite a few foreigners working or studying in their university departments, the researchers managed to test passports from 10 different countries: Australia, Belgium, France, Germany, Greece, Italy, the Netherlands, Poland, Spain, and Sweden.

‘While not an immediate security threat to the passport itself, it could be a concern to the passport holder: this functionality is clearly useful for passport thieves. It strengthens the case for metal shielding in the passport to prevent any communication with the RFID smartcard when the passport is closed (as used in US passport, where it is used instead of Basic Access Control). More generally, it demonstrates the problems associated with making communication wireless, esp. with something as sensitive as an identification document. ‘

Henning et al. have written a paper about their findings which will be presented at the NLUUG Conference on Security.

The yearly International Multidisciplinary Conference on e-Commerce and e-Government (ECOM & EGOV 2008) will be held once more in Poland (20-22 October). I have never actually attended the conference, but have been on the Programme Committee for many years. This year there is more emphasis on e-government research than in the previous years and the PC is looking for contributions from scholars with a background in computer science, sociology, law, psychology, economy, management, artificial intelligence and so on. You can find more information on the conference website.

The Netherlands seems to be having some serious problems lately with ‘new’ technology. The troubles started in 2006 when the ‘We do not trust voting computers‘ foundation showed that the voting machines used in polling stations in the Netherlands were not transparent, did not provide the possibility of a recount and were very insecure – making it relatively easy to hack into them (either to play chess against them or to change the election results). Even worse, the ‘Regulation for approval of voting machines 1997′ said nothing at all about the security of the systems and only regulated that you should be able to drop the machine from a certain height, or that you could spill water over it and more of such mishaps. The campaign against the voting machines (used by 99% of the population) resulted in all the voting systems being decertified, and a withdrawal of the 1997 Regulations. The Dutch population will be voting by pencil and paper ballots again for a while to come. Isn’t it a reassuring thought your vote gets cast the way you want it and a recount is possible? 

Having dealt with the nasty e-voting issue, the government is now faced with more technology disasters. A lot of money has been invested in creating plastic tickets with embedded RFID chips for use by frequent travellers in the Netherlands. This new systems was to be introduced on all trains, buses, trams and subways by 1 January 2009. The idea is that people can upload money on these tickets and an RFID reader will determine the cost of the journey and deduct the necessary amount. This public transport card uses the Mifare Classic Chip with cryptography produced by Trans Link Systems. During the Chaos Computer Club conference in Berlin last December two German hackers discussed how they reverse-engineered the cryptographic components of the chip, showing that it would only take minutes to find the secret keys to the cards. This makes counterfeiting of the cards possible, allowing Dutch citizens to free-ride the public transport system. In January students of the Radboud University showed that they could also hack the single-use cards (which don’t use cryptography). Maybe the existing system of paper tickets wasn’t so bad after all? Wouldn’t it be a relief to have no centralized record of all your movements?

The hack of the Mifare Chip caused a ripple effect throughout the country leading to the discovery in March by researchers from the Radboud University in Nijmegen that they were able to hack into the passes used to enter government buildings and other important locations. Millions of these contactless ‘swipe-cards’ are used to get into ministries, universities, laboratories and large companies. It seems that access control will have to be done by old-fashioned porters again. 

And as if this wasn’t enough bad news, the final blow came at a Mastercard Europe Conference last week where it was announced that the Dutch PIN cards are probably the most insecure ones in the world. Most of these bank cards use magnetic strips and these can be easily skimmed (illegally copied by criminals). All banks will now have to incorporate chips on their cards, but how vulnerable will these turn out to be?

In each of these cases we see the same pattern when it is discovered that the technology is flawed. The vendors deny that there is a problem and become very defensive instead of taking the often well-meant advice and warnings at heart. Usually the revelations by hackers and researchers are followed by questions in parliament. It takes a couple of months or weeks for the truth to sink in: this technology is worthless now that the code is out and anybody could hack into it. ‘Security by Obscurity’ is no longer a valid security mechanism.

So what is going on? The Netherlands has always been an early adopter of new technologies. The voting computers I described have been in use since the 1980s and Dutch consumers have been able to pay for their purchases with PIN cards since 1987. There are 20 million PIN cards in use in the Netherlands, which means that with a population of about 16 million people, most adults have one or more PIN cards which they can use in nearly 225.000 shops and ATMs. Alas, being a forerunner of technology means that you are also likely to become the first one to see the drawbacks of these innovations. I think a useful way of explaining the current problems is Jan Romein’s Handicap of a head start which he described in his essay ‘The Dialectic of Progress’ (1935). In this publication the Dutch historian explains that it can be a real drawback to be advanced. Romein means that a head start may lead to stagnation, while an initial lag in development may lead to a leap forward. Trotski said it as follows: “The privilege of historic backwardness – and such a privilege exists – permits, or rather compels, the adoption of whatever is ready in advance of any specified date, skipping a whole series of intermediate stages” (1932). Obviously these ideas were based on different units of analyses (development of societies) but apply to new technologies as well. When you are the first one to embrace new systems, they can become so fixed that they hinder the development of different and possibly better systems. Another problem is that governments often implement new technology out of some sort of progress ideology. But maybe it is time to realise that in some situations going back to the starting point (paper and pencil for voting, porters for access control and paper tickets for travelling) is real progress – at least for the time being. Countries that have not yet adopted electronic voting or public transport systems with RFID better keep a close eye on the early adopters and take the lessons learned into account. 

Playing chess against a Dutch voting computer