We're building open-source tools to help all Australians participate more actively in parliamentary democracy. Right To Ask is designed to let everyone raise political questions and direct them to the MP or committee where they can get an answer and make an impact.

9 /9: Overall, some auditing is much better than no auditing – we have much better visibility of the accuracy of the Senate digitisation process than we've ever had before, including evidence supporting most results. Next time, I hope more scrutineers will show up for the audit.

Join millions who have switched to Grok.

8/9: Maybe @AusElectoralCom will even reconsider their policy of keeping the source code secret, and instead open it to public scrutiny for "security reasons" – if the problem arose because of a software bug, we might be able to find it and help fix it.

7/9: However, it's not too late for a careful investigation: viewing more ballot papers, checking whether they have an image in the database, and trying to understand the size of the problem. If the cause can be isolated then it can be corrected before the next election.

6/9: Unfortunately @AusElectoralCom and their audit contractors don't seem to have understood the importance of the finding that some ballot papers weren't represented in the image database. Perhaps they didn't realise how close the result in Vic was.

5/9: This is also a good result for the audit, because surfacing a serious problem – if one has occurred – is also an important positive contribution to securing our elections.

4/9: In Vic, the error rate is higher than the margin. Some of the sampled ballot papers had no matching image in the database. The audit report does not say what was in the image database instead. A similar problem occurred in NSW but wasn't large enough to impact the result.

3/9: In 5 states and 2 territories, the measured error seems to be well below the electoral margin. This is pretty good evidence that the results are correct in those contests – much better evidence than has been available for past Australian Senate results.

2/9: It's a big step forward for Aus electoral integrity that this audit was performed and publicly reported. It's a shame the samples weren't taken randomly, so the error estimates might not be very accurate. Verifiable random sampling needs to be implemented next time.

1/9: Our submission to the Joint Standing committee on electoral matters (with @philipbstark @MichelleBlom8 @VukcevicD and Peter Stuckey) considers the audit of Australian Senate ballot papers to compare them with their digitized preferences.

I think it's time for a new communication platform.#EnoughIsEnough . (Where does this even come from? Not from my profile, that's for sure.)

When @rossjanderson says 'magical thinking' it's not a compliment.

RT @thomas_e_haines: The first paper was joint work with @VTeagueAus and Olivier Pereira about our experiences working for the Swiss Federa….

And here's the matching requirement:

p.19.

6/6: Forcing more people to use this system is not the way to make Australian digital identity secure. We should be forcing the DTA to scrap it and design something with better privacy and security properties from scratch. #Auspol.

5/6: Nevertheless it is an unnecessary risk to store this information on an internet-facing server at all. Indeed, it is an unnecessary risk to have designed a protocol with an Identity Exchange as a single point of both privacy and authentication failure.

4/6: Obviously I am not suggesting that any of the accredited Identity exchanges are going to serve this info up over an unauthenticated API (as Optus allegedly did). The enumeration attack described in @bgf_nz 's thesis would require access to the back-end database.

3/6: And before anyone tells me that the Identity exchange is not allowed to store the EDI, remember that that relies on a rather idiosyncratic definition of 'not allowed to store' which also includes the requirement to check for matches.

2/6: If it isn't immediately obvious why this is a bad idea (and one would hope that by now it might be at least a little bit obvious), please read @bgf_nz 's master's thesis: "How trustworthy is the Trusted Digital Identity Framework?".

1/6: I hope @SenKatyG and @VictorDominello understand that the current "Trusted Digital Identity Framework" requires Identity Exchanges to store somewhat-obfuscated identity document numbers on an internet-facing server.