There are few processes as critical to the smooth running of a society than the electoral process. It's a procedure in which we must all trust.
So it’s surprising that the current Senate count process was found by the Australian National Audit Office (ANAO) to have several deficiencies which were not disclosed at the time of the election.
ANAO identified several anomalies in the running of the 2016 Senate election which, although not necessarily casting doubt on the correctness of who was elected, are cause for concern.
The diagram below shows the process used to capture Senate ballot paper preferences electronically. It’s a credit to the AEC that they were able to implement this system in only three months with Fuji Xerox.
This tight timeframe hindered the AEC’s ability to implement effective governance and security controls. The report identified that the AEC “assessed that one quarter of the applicable Australian government controls for treating security risks had not been implemented.”
“The contract with the ICT supplier had not required compliance with the Australian Government IT security framework. The security risk situation accepted by the AEC was not made sufficiently transparent,” the report said.
The report also said: “The ANAO’s analysis was that the documented advice to the Electoral Commissioner did not fulfil the ‘need to ensure the agency head has appropriate oversight of the security risks being accepted on behalf of the agency’ stipulated in the government’s Information Security Manual (ISM).”
This is not reassuring and shows the AEC did not develop and manage its system to be compliant with required government practices. But it is comforting to know that the AEC agrees with the findings and is committed to working towards achieving a high level of compliance with the Australian Government’s security framework in the future.
Finally, the report said: “The level of IT security risk accepted by the AEC on behalf of the Australian Government, and the extent of the non-compliance with the Australian Government IT security frameworks, was not transparent.”
The wording used [by the AEC] in some of the internal records and published materials would generate confidence in the security of the system whereas the underlying assessments indicated significant risk.
One of the key challenges when running an election is to not lose any ballot papers. This may sound simple but when you are dealing with more than 45 million ballot papers, it is not easy.
One of the undertakings the AEC made to the electorate, as a result of the lost ballots at WA Senate election in 2013, was to account for ALL ballot papers from the time they are printed, until their statutorily authorised destruction.
The auditor found that “the AEC is not currently in a position to report that it has achieved its performance target of 100 per cent of ballot papers being accounted for”.
The AEC publicly reported that it had achieved its performance target of accounting for 100 per cent of ballot papers. But the AEC based this statement not on a positive proof that showed not ballots were unaccounted but rather a negative proof that they were unaware that any ballot papers were not accounted for, which is a considerably lower level of assurance.
To report against the performance indicator, the AEC had emailed its state managers on 1 November 2016 (four months after polling day) asking them to indicate ‘any instances where you are aware that ballot papers are not accounted for’. None identified any instances (although one response contained the qualification that all unused ballot papers were ‘materially accounted for’).
It is doubtful that the AEC really met its obligations by asking its state managers if a problem occurred, but the AEC still maintained it was confident that the range of unspecified measures put in place for the 2016 federal election ensured the integrity of the Senate count.
Scrutiny and transparency
Currently partisan scrutineers are appointed by candidates or parties to look after their interests by reviewing the election process to ensure their candidate is fairly treated.
The feedback to the Joint Standing Committee on Electoral Matters indicated that scrutineers generally found it more difficult to confirm the integrity of the Senate count when conducted by the semi-automated system than by the previous largely manual process.
Most scrutineers I spoke to found the scrutiny approach taken by the AEC at the 2016 Senate election, to be less than satisfactory when trying to assess the overall integrity of the Senate data capture.
Given this situation the auditor recommended that when the Australian Electoral Commission uses computer assisted scrutiny in future federal electoral events, the integrity of the data is verified and the findings of the verification activities are reported.
The AEC was not overly enthusiastic to implement this recommendation and said they will continue to evaluate and if appropriate, implement additional verification mechanisms to maintain the integrity of the count. The results of verification activities undertaken at future electoral events may be reporting in support of the scrutineering process.
I believe the scrutiny system for the Senate count needs to be changed. An additional new type of nonpartisan expert scrutineer needs to be appointed by an independent organisation prior to the election.
Their role would be to audit the computer systems and monitor processes used to capture and count votes. It is unreasonable to expect that each of the current partisan scrutineers could do this type of audit, and even if they tried the AEC would be overwhelmed by many scrutineers all demanding data to undertake the same audit.
I do not believe anyone is concerned that the AEC had to cut a few corners regarding procurement and even testing of the system, given that they had only three months to implement the new Senate count system. If anyone is to blame for this situation it should be parliament. This time limit was due to politics and public service procedure which prevented the AEC doing anything until the legislation for the new Senate count was passed.
If they had done anything before the legislation passed the Commissioner would be in breach of his finance obligations and other protocols related to what agencies can and cannot do. Yes, this could only happen in the public sector.
But the public will not accept the concealing of known security risks along with overstating performance in the handling and counting of ballot papers. Note this is not to say there were any material issues which affected the outcome of the election, this is not known.
My concern is that the AEC made statements to the public which would on face value appear to be exaggerated. The audit report made it clear that several security risks were known and accepted which was contrary to the public position of the AEC during the election.
Also, a cursory examination of the results data (i.e. Randwick KINGSFORD SMITH Pre-poll had 10 per cent more Senate papers counted than ballots counted for the House of Representatives) shows unaccounted for ballot paper discrepancies suggesting not all ballots had been accounted for as claimed and required.
I believe the public understands agencies like the AEC are not perfect and mistakes will happen, but they expect to be dealt with honestly not be told everything is 100 per cent ok when it is not.
It took an independent auditor over a year after the election to expose these fairly obvious flaws in the AEC’s communications with the public. I do not believe that this situation will improve as this type of “information management” is common in many large organisations and culturally very difficult to overcome.
Given we must have absolute trust in the election results produced by the AEC and current methods are not working for the Senate system, I believe we can only address this issue for future Senate elections by appointing a new type of nonpartisan expert scrutineer (auditor).
The auditor will report to the Commissioner during the election, and just after the election the Electoral Matters Committee. This will reduce the potential for information being concealed from the public during the election, but still leave the Commissioner in charge of the process.
The appointment of these experts is not in the current legislation and as such will require legislative change - so start writing to your elected member and the Electoral Maters Committee if you support this idea.
Ian Brightwell is a consultant, academic and experienced CIO. He helps clients better manage and utilise their technology investments. He specialises in program and portfolio management and technology governance with a particular focus on information security. In addition to postgraduate qualifications in information systems and management he is Certified by ISACA in the Governance of Enterprise IT (CGEIT) and a trained Gateway Reviewer for NSW ICT programs. His role was responsible for the provision of all IT infrastructure and information security for the New South Wales (NSW) Electoral Commission and led NSW electronic voting initiative (iVote) at the 2011 and 2015 elections.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.