November 28, 2008
Making the case for Open Source software for elections
It’s not the voting that’s democracy, it’s the counting.
(Tom Stoppard, British playwright, 1972)
If the counting of the vote lies at the heart of democracy then vote-counting conducted in secret on proprietary software is a dagger threatening to still that heartbeat and undermine the integrity of the process. Among those who have looked into the abyss of secret vote-counting software is California Secretary of State Debra Bowen when she set up a task force to study the software used in her state’s elections.
Bowen says it is time for elections to be conducted with Open Source software. She is basing her conclusion on the findings of the Top to Bottom (T2B) Review of California voting systems that she ordered after taking office. http://abcnews.go.com/Technology/story?id=5893946&page=1
Bowen has a history of pushing for greater transparency and accountability in election technology. After taking office in November 2006, she commissioned a top-to-bottom review of e-voting systems, including detailed analyses of source code, documentation, security, and usability. “All of the systems had security issues,” Bowen said.
The study revealed a variety of problems, from software vulnerabilities that could let an attacker install malicious software that changes the outcome of a vote, to opportunities to tamper with the devices while they are held in storage.
If this sounds scary to the average voter, it should, especially since several major voting machine vendors declined to participate in Bowen’s study, possibly out of a desire to avoid the kind of scrutiny that Bowen’s task force would force them to undergo.
Bowen is following the advice of computer security experts like Ron Rivest who recommend better design and increased security be an intrinsic part of any vote-counting software.
MIT computer science professor Ron Rivest, who has studied the security and privacy of voting systems, says that these systems should be designed to work even if the software underneath is somehow flawed. “Do you have to trust the software in order to trust the election results?” he asks. The ideal situation, Rivest says, is one where the presence of bugs or malware cannot affect the outcome of an election.
Paul Venezia of IDG, in a recent New York Times article, discussed problems with voting machines from Premier (formerly Diebold) in Ohio that illustrate the manifest problems with closed source software. http://www.nytimes.com/external/idg/2008/10/27/27idg-Open-source-Ho.html
In many cases, even the manufacturers don’t have the source code to software running on their own systems. Premier Election Solutions recently advised that its machines lost votes in Ohio primaries due to an incompatibility with McAfee’s anti-virus software. In the words of XKCD, someone is clearly doing their job horribly wrong. Later, Premier claimed that its own software was at fault.
This kind of explanation does not exactly inspire confidence in the company’s products — or in the correctness of the vote count. Speaking to an audience of IT professionals, Venezia further notes:
Those of us who live in IT every day know better. We know exactly how poorly designed some software frameworks are. We see the security challenges presented by Web servers, mail servers, remote access, and so on, but when it comes to the foundation of our democracy, we just shake our heads and move on.
Maybe it’s time for us geeks to come to the rescue, with a little help from Congress. We’ve built the Internet, designed staggeringly complex technologies for conducting lightning-speed financial transactions, securing sensitive patient data, even our own entertainment. After all, you’d be hard-pressed to say that there’s more complexity in an e-voting machine than in, say, your TiVo or even your cell phone.
But the key to securing e-voting resides in making its systems open source.
But many might ask: isn’t public disclosure dangerous? Couldn’t Open Source software for elections lead to the vote count being hacked? Wouldn’t this make it easier for bad guys to alter the count?
These are legitimate concerns that are addressed by Neal McBurnett, software engineer and voting integrity activist, who draws on real-world examples of open source software success. http://bcn.boulder.co.us/~neal/elections/disclosure.html
One instinctual notion is “Security through Obscurity“. I.e. some people think the systems should be designed in secret, and hidden from as many people as possible. But decades of cryptography research has led to state-of-the-art systems in which the code can be public and only the keys need to be kept a secret. And experience shows that when enough people want to break into a system, trying to keep the code a secret doesn’t stop them, as users well know. Openness is simply the best approach in this sort of situation.
For example, when the US government wanted a new Advanced Encryption Standard (AES), they didn’t rely on the National Security Agency to design it with their enormous funding and expertise. They announced a public, open, worldwide competition. Algorithms were proposed and coded and disclosed and debated for years. The winning entry, from Belgium, was then presented to the world for free use.
Venezia chimes in with some other examples of open source success in his New York Times piece:
If you look around the open source community, you will find a wide variety of projects that are not only widely used but extremely well designed and very secure. Apache, Perl, PHP, OpenBSD, FreeBSD, and the Linux kernel are just a few examples. Coders who contribute to these projects generally do so without remuneration, producing some of the best code available.
McBurnett explains the level of disclosure he would require for election software:
I think the law should simply require full public disclosure of everything necessary to build a working system. This is more or less like universal practice of requiring blueprints from building contractors.
At least, full disclosure would eliminate the risk of a vendor going out of business and taking its proprietary software secrets with it.
The best news about open source fully disclosed software for elections is that it has already been done elsewhere — and very successfully, too. As McBurnett points out:
Now you’re thinking “Isn’t this just pie in the sky? Who would really write and give away a free election system?” Well, one such system is already in use in Australia. EVACS beat out proprietary rivals in a competition. It is provided by a company named Software Improvements. The software for online e-voting in the Netherlands has also been disclosed.
So if the U.S. were to opt for open source software for elections, it would, at best, be the third country to try it — with all the advantages of being able to learn from the mistakes/success of others.
From that perspective, open source software for elections does not look as risky as the status quo closed source software with all its persistent and well-documented problems.