November 28, 2008

Making the case for Open Source software for elections

Posted in Debra Bowen, Election reform, Elections, politics, voting, voting machines tagged , , , at 10:12 pm by bluebanshee

It’s not the voting that’s democracy, it’s the counting.

(Tom Stoppard, British playwright, 1972)

If the counting of the vote lies at the heart of democracy then vote-counting conducted in secret on proprietary software is a dagger threatening to still that heartbeat and undermine the integrity of the process.   Among those who have looked into the abyss of secret vote-counting software is California Secretary of State Debra Bowen when she set up a task force to study the software used in her state’s elections.

Bowen says it is time for elections to be conducted with Open Source software.  She is basing her conclusion on the findings of the Top to Bottom (T2B) Review of California voting systems that she ordered after taking office.

Bowen has a history of pushing for greater transparency and accountability in election technology. After taking office in November 2006, she commissioned a top-to-bottom review of e-voting systems, including detailed analyses of source code, documentation, security, and usability. “All of the systems had security issues,” Bowen said.

The study revealed a variety of problems, from software vulnerabilities that could let an attacker install malicious software that changes the outcome of a vote, to opportunities to tamper with the devices while they are held in storage.

If this sounds scary to the average voter, it should, especially since several major voting machine vendors declined to participate in Bowen’s study, possibly out of a desire to avoid the kind of scrutiny that Bowen’s task force would force them to undergo.

Bowen is following the advice of computer security experts like Ron Rivest who recommend better design and increased security be an intrinsic part of any vote-counting software.

MIT computer science professor Ron Rivest, who has studied the security and privacy of voting systems, says that these systems should be designed to work even if the software underneath is somehow flawed. “Do you have to trust the software in order to trust the election results?” he asks. The ideal situation, Rivest says, is one where the presence of bugs or malware cannot affect the outcome of an election.

Paul Venezia of IDG, in a recent New York Times article, discussed problems with voting machines from Premier (formerly Diebold) in Ohio that illustrate the manifest problems with closed source software.

In many cases, even the manufacturers don’t have the source code to software running on their own systems. Premier Election Solutions recently advised that its machines lost votes in Ohio primaries due to an incompatibility with McAfee’s anti-virus software. In the words of XKCD, someone is clearly doing their job horribly wrong. Later, Premier claimed that its own software was at fault.

This kind of explanation does not exactly inspire confidence in the company’s products — or in the correctness of the vote count.  Speaking to an audience of IT professionals, Venezia further notes:

Those of us who live in IT every day know better. We know exactly how poorly designed some software frameworks are. We see the security challenges presented by Web servers, mail servers, remote access, and so on, but when it comes to the foundation of our democracy, we just shake our heads and move on.

Maybe it’s time for us geeks to come to the rescue, with a little help from Congress. We’ve built the Internet, designed staggeringly complex technologies for conducting lightning-speed financial transactions, securing sensitive patient data, even our own entertainment. After all, you’d be hard-pressed to say that there’s more complexity in an e-voting machine than in, say, your TiVo or even your cell phone.

But the key to securing e-voting resides in making its systems open source.

But many might ask:  isn’t public disclosure dangerous?  Couldn’t Open Source software for elections lead to the vote count being hacked?   Wouldn’t this make it easier for bad guys to alter the count?

These are legitimate concerns that are addressed by Neal McBurnett, software engineer and voting integrity activist, who draws on real-world examples of open source software success.

One instinctual notion is “Security through Obscurity“. I.e. some people think the systems should be designed in secret, and hidden from as many people as possible. But decades of cryptography research has led to state-of-the-art systems in which the code can be public and only the keys need to be kept a secret. And experience shows that when enough people want to break into a system, trying to keep the code a secret doesn’t stop them, as users well know. Openness is simply the best approach in this sort of situation.

For example, when the US government wanted a new Advanced Encryption Standard (AES), they didn’t rely on the National Security Agency to design it with their enormous funding and expertise. They announced a public, open, worldwide competition. Algorithms were proposed and coded and disclosed and debated for years. The winning entry, from Belgium, was then presented to the world for free use.

The best model is electronic communications and commerce on the Internet. Despite fierce competition, more secure web sites rely on the “Open Source” software called Apache than anything else.

Venezia chimes in with some other examples  of open source success in his New York Times piece:

If you look around the open source community, you will find a wide variety of projects that are not only widely used but extremely well designed and very secure. Apache, Perl, PHP, OpenBSD, FreeBSD, and the Linux kernel are just a few examples. Coders who contribute to these projects generally do so without remuneration, producing some of the best code available.

McBurnett explains the level of disclosure he would require for election software:

I think the law should simply require full public disclosure of everything necessary to build a working system. This is more or less like universal practice of requiring blueprints from building contractors.

At least, full disclosure would eliminate the risk of a vendor going out of business and taking its proprietary software secrets with it.

The best news about open source fully disclosed software for elections is that it has already been done elsewhere — and very successfully, too.   As McBurnett points out:

Now you’re thinking “Isn’t this just pie in the sky? Who would really write and give away a free election system?” Well, one such system is already in use in Australia. EVACS beat out proprietary rivals in a competition. It is provided by a company named Software Improvements. The software for online e-voting in the Netherlands has also been disclosed.

So if the U.S. were to opt for open source software for elections, it would, at best, be the third country to try it — with all the advantages of being able to learn from the mistakes/success of others.

From that perspective, open source software for elections does not look as risky as the status quo closed source software with all its persistent and well-documented problems.



  1. The new Election Assistance Commission’s (EAC) Volunteer Voting System Guidelines (VVSG) will allow for new voting processes to be created and certified. The current certification process is geared to certify existing types of processes. Independent labs were given certification guidelines and voting machine vendors designed systems to meet those guidelines. Some argue that the guidelines were written to certify existing products. The results are the same, virtually no design space for innovation.

    The new VVSG has been undergoing a review for more than a year including a request for public comments. Visit if you want to review the 598 page document. These new guidelines have numerous and significant changes that will change the voting process in years to come. I will highlight four items that I think are important to every voter.

    First, new certification guidelines REQUIRE that new voting processes shall be SOFTWARE INDEPEDNENT. This does not mean that no software is permitted or that it has to be open source. The definition of software independence is that any software failure will not change the outcome of the election. This requirement is intended to increase voter confidence that their vote is counted as they intended.

    Secondly, the encouragement for designers to use multi processes with complementary technologies. In the most basic form the use of Direct Recoding Equipment (DRE) with a Voter Verified Paper Audit Trail (VVPAT) would meet the new requirement. This solution may not meet the new usability guidelines that are being added. Optical Scan systems would be encouraged to show you how your marks on the ballot will be interpreted before you cast the ballot. You would be notified if you over voted or under voted and then the device would give you a choice to correct your ballot or ignore the warning.

    Thirdly, a new class of voting processes are going to be created for INNOVATIVE systems. The EAC realizes that they may not be able to write today appropriate guidelines for processes that have not yet been created. To encourage innovation the VVSG allows for innovators to bring to the EAC new processes, systems, technologies and they will design guidelines that permit certification if warranted. We at think our Pen and Paper system will be welcomed by the EAC in this new class.

    Fourthly, the certification process in addition to inspection by independent laboratories, will include extensive usability tests in the field. In filed tests will be required by real voters. Sometimes what looks good on paper and on the production floor, the consumer rejects for unforeseen reasons. Could some of the current objections about the the voting process have been eliminated with real world field trails? Maybe.

    As an example of extreme usability testing PenVote’s PenPoll, a paper and pen poll book, was used in a binding 2007 November election by 443 voters and it was deemed totally transparent to the poll workers and voters. To test in the most harsh way, no training was provided to voter’s and the poll workers were only shown how the pen vibrates when used incorrectly and how they should advise the voter if it happens. Everyone, including the election board director, were ecstatic with the results. We at PenVote look forward to new guidelines that will encourage innovation.


  2. Your Rivest quote was not an argument for open source eVoting – it was an argument for transparency and verifiablity.

    “The ideal situation, Rivest says, is one where the presence of bugs or malware cannot affect the outcome of an election.”

    It seem to me that end-to-end verifiable systems are what are needed. Eg Scantegrity, Puchscan, pret-a-vote, etc…

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: