The Senate Assurance Bill plugs a critical gap in Australian Election security

By Vanessa Teague

In all the attention given to voter ID, a bill that really does improve the security of Australian Elections has gone mostly unremarked: The Electoral Legislation Amendment (Assurance of Senate Counting) Bill. The bill proposes—for the first time in Australian history—an open, statistical audit of the paper Senate ballots against the digitised preferences to verify that they have been accurately digitised before they are counted.

Transparent processes that provide evidence of an accurate election outcome are the right way to combat misinformation and attacks on our democracy. Transparent processes enhance both actual and perceived accuracy of the electoral process. The draft bill goes a long way towards providing genuine evidence that the Senators who take office do so as an accurate reflection of the choice voters make. It deserves broad support.

What the bill says

The bill has three parts:

  1. (273AA) Provisions for the AEC to appoint someone to examine the system in advance of the election to assess whether it is secure and correct.
  2. (273AC) An audit of the paper ballots against their digitised preferences, to be conducted openly in the presence of scrutineers.
  3. (273 (17-31)) Some technical corrections to the STV counting algorithm, intended to bring it into line with the AEC’s software in the light of some discrepancies Andrew and I identified (see below).

In my opinion, 1 is harmless, 3 is necessary for an unambiguous election result, and 2 is the best thing we can do to secure Australian elections. 

Why we need it

If your response is, “Wait a minute, I thought all Australian votes were manually counted. Why do we need to audit an electronic process?” then you are among many Australians who have until now been a bit confused. It doesn’t help that the AEC adds to this confusion, recently telling Senate Estimates, “What we’ve got is a manual count and a scanning process.” But this is not true. House of Representatives ballots are manually counted, Senate ballots are not. If you imagine the logistics of physically shuffling a few million ballots through a few hundred rounds of preferential vote redistribution, you can see why the AEC does this by computer.

Your Senate ballot is scanned to produce a digital image, then the digital image is converted into electronic preferences through a hybrid human and automated process, then the electronic preferences are electronically counted.  This diagram from the Australian National Audit Office shows the process:

The final counting step is complicated, but easily amenable to independent scrutiny because the AEC publishes the complete digital preferences after the election. Several independent Australians have implemented the algorithm and used it to recheck the count. Recently, Andrew Conway and I found some errors in historical count transcripts, particularly in the tie-breaking rules and in the application of bulk elimination. Although the software bugs did not make a difference to the outcome, they need to be corrected because they could, in principle, make a difference later. The government has decided to alter the legislation rather than getting the AEC to patch their code. While this seems like resolving the inconsistency the hard way  all’s well that ends well. (There are still some ambiguities, notably around the exact definition of when the count ends – see our report for more detail.)

All software has bugs and all human processes make mistakes. The only surprising thing is that, until this demonstration, there seems to have been an assumption that AEC software was somehow perfectly correct, secure and immune to the kind of security problems or counting bugs that had been found in election software in Western Australia, the ACT, NSW, Switzerland, the USA, Estonia, Russia, and elsewhere. 

Australians have very little visibility of the crucial software and processes that turn our paper ballots into digital preferences. The source code is unavailable, the audit reports are not public, and repeated requests for the error rate have elicited only vague estimates and raw experimental data. An undetected imaging problem, software error, or security problem could misrecord ballots in a way that might not be detected. Furthermore, even if there is no such deviation, the absence of evidence is itself a problem: scrutineers and disappointed candidates might think there is a discrepancy, because they have not seen evidence that the ballots are accurately digitised.

We need a clear, public, statistical audit that compares a random sample of paper ballots with the digitised preferences. This gives scrutineers the opportunity to verify that the error rate is low enough to support the announced election result, or to ask for more investigation if the rate of discrepancies seems high. This is the gap that Section 273AC of the bill will fill.

The legislation would require the AEC to take a random sample of ballot papers and compare them to their digitised preferences, noting any discrepancies. Although the bill doesn’t explicitly say so, the right way to do this would be to give the electronic data to the scrutineers in advance, then allow scrutineers to observe the retrieved ballot papers. This way the observers could, independently, verify the calculation of the error rate for themselves, allowing each candidate to receive assurance from someone they chose to trust.

Post-election audits of paper ballots are becoming the norm in the more enlightened parts of the USA, where electronic counting of paper ballots is common. Simpler forms of voting are amenable to efficient audits, including Risk Limiting Audits, which give a strong statistical guarantee of detecting wrong election outcomes. Recent Australian-led work (by Blom, Stark, Stuckey,  Vukcevic and me) extends Risk Limiting Audits to single-winner preferential elections and other complex voting schemes, but we still don’t have a complete solution for the single transferable vote algorithm used in the Australian Senate. Contrary to popular belief, even random errors may systematically disadvantage some candidates. Nevertheless an audit that simply compares ballot papers with their digitized preferences and estimates the error rate would be a huge step forward.

Suggested improvements

The bill could be improved by requiring the digital preferences to be available to scrutineers at the commencement of the audit.

There should be a clause after 273(AC(5)) saying: 

“At the commencement of the audit, the Electoral Commissioner must make available to scrutineers

(i) the Division;

(ii) the vote collection point;(iii) the batch number and ballot paper number within the


(iv) the full set of marked preferences;

for all the ballots being sampled from.”

There should also be a requirement that the paper ballots be chosen randomly, using a method for which correct random choices can be verified by scrutineers (for example, a dice roll used as a seed for an open-source pseudorandom number generator, as implemented in Philip Stark’s SHANGRLA software).

It would also help to add some explanation of what happens in the event of larger-than-expected discrepancies. (In the US, the usual response is to audit a larger sample).

Even without those clarifications, this bill deserves the support of everyone who cares about an accurate and trustworthy Australian Senate election outcome.

Vanessa Teague is a cryptographer with a longstanding interest in the security of systems of interest to public processes, such as elections and open data. She is the CEO of Thinking Cybersecurity Pty Ltd and Associate Prof (Adj.) in the College of Engineering and Computer Science at the Australian National University.

Follow her on Twitter here.