Australian Senate vote-counting-ware contract a complete shambles

The Australian Electoral Commission's (AEC's) handling of the nation's 2016 election was deeply flawed, the Australian National Audit Office (ANAO) has found.

The auditor's investigation was kicked off after the 2016 double-dissolution election, which introduced at short notice optional preferential voting for Australia's Senate. The AEC anticipated a complex count, and in March 2016 had begun work on a system to automate the Senate count, but its timetable was foreshortened by the early election.

That set off a chain of events that resulted in wasted money and security failures, the auditor has found.

Perhaps the most damning finding in the ANAO report is that the AEC handed AU$27 million to Fuji-Xerox to automate the Senate count, but needed to hand-count the papers anyway manually cross-check papers, showing images to operators on screen, who then keyed in vote data (a decision which contributed AU$6.6 million to the cost of the system).

Subsequent to that process, the system lacked any way to correct errors the operators might have made.

The AEC justified the double-count as a way to “improve integrity” of the ballot paper data. “Any mismatches between the human’s and the technology’s interpretation were investigated and resolved,” the report states, but: “The AEC does not know the number or nature of mismatches to determine if this was a cost-effective risk treatment”.

The table below shows all the signs of a rushed system.

Note, for example, that it took more than a month for the AEC to require digital signatures to protect the contents of ballots once scanned.

The government called the election in May 2016, and the AEC asked Fuji-Xerox to alter the system to allow ballots to be viewed by humans, and in June the commission slung $230,000 at the vendor to “Redesign the system so that every ballot paper is viewed by a human”.

Given that the system was commissioned without the usual tender process – the AEC justified this because it approached a panel of contractors already supplying the government – it's no surprise to find: “No consideration of financial cost was evident in the records of the AEC’s decision-making to implement the Senate scanning system”.

Even after all of this, the most important measure of an electoral counting system – that the right people are sitting in parliament – is unmet.

The AEC does not know the number of occasions there was a mismatch between the voter preferences captured by the optical character recognition technology and those captured during full-blind data entry. Or, following a mismatch, whether it was then determined that the technology or the human had accurately captured the voter’s handwritten preferences.

Ten months after the election, the AEC realised Fuji-Xerox still had copies of the ballots on its systems, and instructed the vendor to delete them.

Security: yeah, we better have some of that

The AEC believed its IT security was adequate, but according to the report: “The contract with the ICT supplier had not required compliance with the Australian Government IT security framework. The security risk situation was accepted by the AEC but was not made sufficiently transparent.”

The AEC's own assessment was that “one quarter” of the government's security risk controls “had not been implemented”, and “the security risk situation was accepted by the AEC but was not made sufficiently transparent.”

The AEC also failed to monitor system users sufficiently, the auditor found, so while the auditor agrees that there wasn't any large-scale interference with the election, the commission “did not have a systemic data and analysis plan or adequate visibility of IT security measures”.

There was no security audit trail, the ANAO says, the system logs weren't designed for security analysis, and when the AEC's suffering IT staff cobbled together a dashboard out of what logs were available, they didn't have enough time to produce written procedures or guidelines.

And it appears that some AEC executives knew of the security shortcomings, but hoped they'd pass unnoticed. In a June 12 2016 internal report the scanning system was described as “compliant with certifications, industry standards and the ISM”.

That was contradicted by an internal report on 22 June 2016, but even then, the AEC's Deputy Electoral Commissioner believed the system at least met the “big 8” Australian Signals Directorate rules.

The auditor doesn't quite accuse anyone of a cover-up: “The ANAO’s analysis was that the documented advice to the Electoral Commissioner did not fulfil the ‘need to ensure the agency head has appropriate oversight of the security risks being accepted on behalf of the agency’ stipulated in the ISM.” ®

*Correction: Thanks to the reader who corrected us on the detail that the on-screen process isn't the same as a manual count of ballots. ®