E-vote tester sets record straight over code review

4 Mar 2004

Nathean Technologies, the Irish software consultancy which reviewed the source code to be used in the Government’s e-voting system, has spoken out publicly over the nature of testing undertaken on the software. It has also supported – with reservations – the choice of database that will be used to count the votes in the election.

On Tuesday Joe McCarthy, a computing and election expert, had raised the issue of whether sufficient tests had been carried out on the proposed e-voting system. But speaking exclusively to siliconrepublic.com, Nathean CEO Ronan Wisdom said that Microsoft Access, although not perfect, was functionally capable of the task required and would be fit to use in the election.

It has emerged that some of the comments attributed to Nathean now in the public domain appear to have come from documents released pertaining to early reviews of the software. For example, critics of the e-voting system had seized upon a submission from Nathean to the Department of the Environment which indicated that a more secure database than Microsoft Access “may be warranted”.

Ronan Wisdom confirmed that Nathean made this comment but pointed out that it was in an early stage review. In addition, much debate has centred on whether Access is an enterprise system. Although the task of counting votes in an election is critical to the democratic running of the State, in the strictest sense, Access will not be used in an enterprise setting – that is, a multi-user environment.

“The application is not required to scale. It’s on a single PC with a single user,” he said. “Is Access the perfect system? Any technologist making that kind of claim would not be credible. But is it suitable for the task? It can be quite easily argued yes,” Wisdom added. “There are things that could be done to make Access better or more secure and there are documents from us to the Department to suggest a variety of steps,” he pointed out.

Nathean has continually made recommendations to the Department since the testing process began in December 2001. “We’ve been very happy with the way our inputs have been dealt with in the Department, even on subjective issues of best practice,” said Wisdom.

Nathean analysed and reviewed all of the system’s source code but it did not perform any testing as to how it would work – this task was carried out by another third party, Electoral Reform Services. According to Wisdom, code analysis and functionality testing are two discrete disciplines and as such should be treated separately anyway. “It seems to us to be good methodology on the Department’s part to have two agencies carrying out these tests,” he said. “They involve different mindsets and focus on different issues.”

Wisdom said he felt the Department took the right approach to have separate consultancies with separate credentials examining the system, adding that Nathean and ERS were not the only agencies involved in testing. “I’d be less happy as a voter if I thought that one big company was carrying out one test only on the whole system,” he said.

Wisdom also confirmed that contrary to some claims, Nathean had reviewed the entire code and had done so over a period of 176 man-days. “We have seen absolutely all the code at this stage,” he stated. The testing took place between December 2001 and February 2004. Nathean has performed eight code reviews to date; the most recent of these was completed in late February and a report is now being prepared for the Department.

Another issue that has emerged in recent days has been the question of language: the original software was developed by a Dutch firm, which wrote code specific to the Irish electoral system. Opponents of the Government’s e-voting plans had claimed that code written in Dutch could not be adequately reviewed.

In fact the code is written in the Delphi application development environment: only some of the code contains comments and variable names written in Dutch, which Nathean has also reviewed. The initial review of the code involved 58 units of code comprising 70,000 lines in total. According to Wisdom only two of these units contained a significant amount of Dutch remarks.

In the latter stages of the review process, Nathean added a senior Dutch developer to its team to translate the code comments so that the entire code could be analysed fully. All of these comments or variable names have been annotated in English. “We have the original Dutch and English right beside one another,” said Wisdom.

Nathean works on a rolling contract with the Department of the Environment: depending on how the Department assesses the latest code review, the Dublin-based company may be asked to undertake a further code analysis.

By Gordon Smith