Friday, November 22, 2013

Auditing the Vote-Counting Software

The OAS got a chance earlier this month to see a snapshot of the Sistema Integrado de Escrutinio y Divulgación Electoral (SIEDE).  They found the system worked-- sort of. Citing "poor performance" in key steps, the OAS reports that Honduras still needs to finish the last bits of code to ensure "verification of results".

These conclusions were translated by the Honduran press into headlines like "The system to transmit the vote tallies can work well" and "The OAS discards [the possibility of] fraud in the elections in Honduras and the electoral entity [the TSE] asks for respect" and "The OAS certifies that the equipment to transmit the electoral results is trustworthy".

Not quite.

The report is an audit of the software that's going to be used to count votes for things like security, accuracy, transparency.  El Heraldo posted the PDF of the report here.

SIEDE is designed to do the following tasks.  First it scans the vote tally sheets, printing copies for each of the political parties, and then it digitally signs them and sends them via HTTPS to the Tribunal Supremo Electoral's (TSE) data center in Tegucigalpa over a cell phone network.  Computers in the data center receive the scanned tally sheets and verify the digital signature, forwarding copies to the political parties and the international auditors, then analyze the internal consistency of the transmitted tally sheet.  Next the data center computers transcribe the tally sheet using Optical Character Recognition software and verify the data on the tally sheet, monitoring it for inconsistencies.  Finally SIEDE, in the TSE data center, accumulates and integrates the votes from this tally sheet with others already entered into the system, generating vote totals and sharing the results.

SIEDE is a combination of off-the-shelf hardware and software, some of it from vendors, some written for the TSE. 

The hardware at each polling place consists of a laptop, wireless modem for the wireless network of CLARO or TIGO (two of the large phone companies in the country), and a multifunction ink-jet printer and scanner.  Each polling place runs software which will digitally sign, then upload, the completed vote tallies for President, Congress, and Municipal office to an off-site data center in a hotel, set up by the Tribunal Supremo Electoral.  The data center has systems that act as web servers to receive the signed tally sheet images over HTTPS, in a Microsoft SQL Server database to store the images and record information about their processing, and Readiris OCR software to read the numbers from the scanned forms for later validation and processing. 

All of this commercial software is held together both in the polling station and the data center by automation code written by TSE programmers.

During the one month audit period, the OAS observers got to witness three tests of the SIEDE system by the TSE, each with increasing load.  The audit was complete on November 20 with the release of the report

Key findings are the following:
The findings refer, fundamentally, to the behavior of the system during the simulations,  which were carried out without all of the functionality and with test data that was smaller than the defined objectives for this audit.  For that reason, the conclusions refer to the behavior of the system as of the dates mentioned without a possibility to predict its behavior with the volumes of information and expected loads on election day...

In general terms, and under the technical functional conditions observed, the operational modules that bind the system together are functional, complying with the established parameters of the SIEDE process.  But, because of the gaps in the load testing during the simulations and that the system must process on election day, the part that consolidates and integrates, and discloses the data is of special concern [since in each simulation] we saw poor performance in the systems that accumulate the results and schedule tasks.  Because of this it is a priority to optimize the mechanisms used in the processing of the information and to finish the code to do the work of verification of the results.

Now, there is much the TSE deserves credit for here.  Building this kind of voting system in-house, from scratch, to international standards is admirable, and from the OAS checklist, many of the parts they completed they did well, and the OAS had few concerns about much of the completed code.  But the TSE wrote no specifications detailing how the software should behave, and was slow to purchase the hardware and software on which to build the standardized infrastructure.  That makes it difficult to say the say the system is doing what it should, since there are no specifications to check it against.

The OAS found the code for everything up to tallying the results and sharing them with the political parties to be up to international standards, and that each stage to that point provided correct and verifiable results to pass along to the next. 

But that's where their praise stopped.
In relation to the module that consolidates, integrates, and shares the results, the audit detected failures that gave evidence of a failure to follow international standards of quality required for this type of program.  It is important to note that aspects like correction, trustworthiness, and efficiency have not been complied with in these modules up to the finalization of the simulations.

Translation?  The code that counts the votes and accumulates the results and then shares them with the political parties, is incomplete, nor does what is there meet the international quality standards the OAS deems ordinary and proper for this kind of code.

To be eight days out from the election and not code complete is asking for trouble. The OAS indicating that changes to the existing code base still needed to be made before the election is also asking for trouble. 

I managed enterprise level software projects of comparable complexity in a former career, and I can tell you you don't make these kinds of major, unproven,  changes to a system in the last 8 days before you roll it out unless rolling it out as it is will be a certain disaster. Why?  Because you're inviting things to go horribly wrong by making late changes, and they almost always do.

There is one last simulation scheduled for November 23, the day before the election, and it is supposed to be a full scale load test.  If anything goes wrong, there won't really be any time to fix things. 

Luckily the TSE has 30 days to declare the winner, just enough time to do a hand count of the ballots if necessary.

No comments: