Open Source and Voting Machines

Posted on September 27th, 2008 by Robin Bloor in Commentary

What Does This Have To Do With Open Source?

Debra Bowen, California’s secretary of state, advocates that open-source software be used in voting machines. What can I say? The fact that some voting machine companies insist on keeping their software source code secret has to be a cause for concern. She maintains that the purchase of voting machines is often left up to people, who are not competent to judge whether it is secure or not. But worse than that, the purchase contracts often insist that the code is not reviewed and no access to it is provided. Sound’s like there’s a need for a set of voting machine standards and a national testing center to me.

Imho there is nothing wrong with the buyer having access to the code, but giving experts access to the code makes far more sense, and it might even be possible to devise tests that prove that legitimate code is running as part of a sane set of procedures to test machines on voting day, a few moments before the public starts to use them.

Incidentally, it doesn’t have to be Open Source issued under the GPL. You could have proprietary systems opening their source. It’s about being able to audit the code, not about who owns the rights to the code. But actually, this is a side issue that has more to do with quality assurance. Open Source will not stop machines from being compromised.

Cleverer Options

There are cleverer ideas than this which could make voting bullet-proof secure. Some of them have been discussed or proposed by academics, but sadly, none of them is currently being used. Here’s the gist of an idea that is pretty bullet proof:

The idea is simple. You have two systems. One is the voting machine itself and the other is a system which checks whether the voting machines are working accurately. The system that checks runs remotely (over the Internet).

When the voter votes the voting machine prints a log of the vote AND issues a receipt to the voter which encrypts the votes of the voter along with the identity of the voting machine. The voter can use the receipt to check their vote on-line. If there is any discrepancy between vote cast and what the on-line system says, the voter can complain. If a voting machine gets compromised at any point in any way the checking system catches the error and the paper trail can be used for a recount.

With the right encryption, this kind of system would work and be very difficult to compromise. But you wont see any such system in operation in the US in November.

«- 1 2 View All -»

Subscribe to HaveMacWillBlog in a reader

Steve posted the following on Sunday, September 28, 2008 at 7:50 am.

The new Voluntary Voting System Guidelines (VVSG) has been undergoing a review for more than a year including a request for public comments. Visit http://www.eac.gov/vvsg if you want to review the 598 page document. These guidelines have numerous and significant changes that will change the voting process in years to come.

The new certification guidelines REQUIRE that new voting processes shall be SOFTWARE INDEPENDENT. This does not mean that no software is permitted. The definition of “software independence” is that any software failure will not change the outcome of the election. This requirement is intended to increase voter confidence that their vote is counted as intended.

The use of connectivity to the Internet is expressly forbidden as is the use of wireless including Bluetooth. Infrared is however permitted.

Also, a new class of voting processes is going to be created for INNOVATIVE systems. The EAC (Election Assistance Committee) realizes that they may not be able to write today appropriate guidelines for processes that have not yet been created. To encourage innovation the VVSG allows for innovators to bring to the EAC new processes, systems, technologies and they will design guidelines that permit certification if warranted.

Robin you have made a good point suggesting that there be multiple processes that can independently count the vote and have them reconciled. The new VVSG will encourage these types of solutions.

Bloor Robin posted the following on Sunday, September 28, 2008 at 11:32 am.

Steve

Thanks for the feedback. I’m pleased that something intelligent is being done. The mere suspicion of voter fraud and stolen elections undermines the whole democratic process.
The idea of completely forbidding internet connection seems a little bizarre since it implies that no connection via the Internet can be secured and that is simply not the case. A better idea would be to forbid all unsecured internet connection.
It’s an important point because, in what I’m suggesting, you need 2 data paths back to a central point in order to ensure that no votes are compromised on the way back.
Having a dual process system where one process uses the Internet and the other doesn’t seems sane to me.
The system I’ve mooted in the posting could work without Internet connection, but it would make it unnecessarily complex.

TimTheFoolMan posted the following on Monday, September 29, 2008 at 9:18 am.

Ultimately, using open source to review the code is a partial solution at best. If officials have the opportunity to test a system end-to-end (and the system has no way to determine whether it’s running the “real” election or the test), the high volume testing that California has proposed would make it difficult to create a trojan that presumed a test based on volume, and therefore didn’t hack specific results.

I understand the call for open source, but I think it’s the kind of thing that could engender a false sense of security. If you’re blindly trusting the hardware and firmware, reviewing only the source is a bit lame. – Tim