How open is open enough for electronic voting?

21

Author: Jay Lyman

Most of the attention and current criticism of America’s e-voting infrastructure and technology is focused on the lack of a verifiable paper audit trail, but an equally prominent issue is the closed nature of election system certification, companies, and software.

Many e-voting experts stress that true open source software for elections — meaning publicly available source code — is just as important as a paper record. However, there are also those that argue open source is simply too open to be secure.

Among those with apprehension about open source elections software and
systems, somewhat surprisingly to some, is Australian developer and senior
lecturer with Australian National University Clive Boughton, who helped
design the eVACS open source, GPL election software used in Australian
elections in 2001.

Boughton, however, said that a new development effort by eVACS maker
Software Improvements will focus on source code that is available “in an
electronically unchangeable ‘read-only’ form to persons who seek and are
given permission to view the code.”

In a paper presented last month at the OSCON open source conference in
Portland, Ore., Boughton argued there is little point in exposing source
code widely if the voters are already distrustful or apathetic about the
election systems they’re using. Citing recent elections in Maryland,
Boughton wrote, “it would seem that electors, politicians, and electoral
officials alike just didn’t want to know about the potential inadequacies of
the election system under consideration for deployment.”

Maryland may be waking up to its election lull with an advancing court
case demanding paper ballots, and the state’s e-voting check followed
similar action in California, which is now considering a requirement for
paper ballots. However, it is still troubling to consider the reported secrecy, shoddy certification, and closed
code in today’s U.S. elections systems.

“Making the source code for an election system public probably adds
little value to ensuring trust,” Boughton’s paper said. “Most electors
neither wish to nor are capable of adequately scrutinizing strangely
expressed language even more foreign than legalese. To them openness is
immaterial.”

Open apprehension

Boughton, who said U.S. and other voters are also unaware of or apathetic to
the possibility of election tampering, said the development procedures he
proposes are “intended to meet the requirements of trust and not just in
an emotional sense.”

“My concern is that any voting system is going to be a target for
corruption,” he said in an email message. “Whilst I generally endorse the
concepts and precepts of open source development and licensing, I am not
sure [that] what is in place now in regard to open source development will
guarantee the trust in a voting system.”

Boughton said his paper puts forward a plausible way to handle concerns
such as trust and corruption. He said that he is open to better ideas, but
has not yet heard a justified alternative that would meet the needs of all
stakeholders.

“One of the reasons for the success of the original eVACS was the
inclusion of many stakeholders,” Boughton said. “The greater majority were
not developers. Many were potential users, including those with physical
impairment. Some were politicians. Others were election system volunteers
and maintainers. Most couldn’t give a hoot as to whether the system was
developed under an open source approach.”

Boughton said those that knew were comfortable with the idea that the
code was audited by an independent entity and that it was generally open to
scrutiny.

“The point is that we took into account the input of more than one set of
stakeholders,” Boughton said. “Differing beliefs, understandings, and
requirements are all part of the development puzzle and no one view should
dominate to the extent that all others are excluded. The general open source
community is fully aware of these issues, but there are some individuals who
strongly believe, without justification or evidence, that open source is the
only way to develop and license election systems. I simply don’t think
things are that simple and I therefore feel that the whole issue needs to be
investigated by many more stakeholders than the few within the open source
community, or for that matter a single proprietary company.”

Controlled reconsidered

Boughton, who originally referred to his proposed approach as “controlled
open source,”
 said many other software developers, including some who
are strongly pro-open source and favor GPL, have agreed that a
one-size-fits-all approach to open source development may need to be
assessed differently in light of high integrity software system development
and licensing.

“It appears that the term ‘controlled open source’ is seen as an oxymoron
and is the main reason for any objection to what I am suggesting,” Bougton
said. “My choice of descriptor ‘open source’ as a general term is obviously
not a good one. I am certainly not suggesting secret, proprietary code or
development. I just don’t want to have everything so free and open that
corruption could become rife.”

Boughton, who earlier complained about the presentation of his paper at OSCON, clarified that the redeveloped e-voting system from Software Improvements will not be called eVACS.

In his paper, Boughton said Software Improvements intends to make the
source code of the new system available for purposes of transparency, “but
in a controlled manner.” The company said it has yet to make a decision on
licensing for the new election software.

Necessary, but not sufficient

Electronic voting experts such as Johns Hopkins University’s Avi Rubin
said open source development is no guarantee of trustworthy election
software, but indicated open source code is one necessary component.

“Open source is necessary but not sufficient for trustworthy systems,”
said Rubin, a computer science professor at Johns Hopkins. “Just because the
source is open does not mean that it does not contain hidden functionality.
It is a common misconception that open source will make voting systems
secure.”

Rubin did add, however, that the voting public does have a right and
reason to have access to election software and systems.

“I think it is unconscionable to hide the details of how e-voting
machines work from the public,” he said.

Tacit admission of insecurity

David Wagner, an e-voting expert and assistant professor of computer
science at the University of California, Berkeley, said there is some
confusion regarding open source development and open source code for
election systems. Wagner said open source development is far less important
than open source code that is publicly available.

Wagner said public policy has long held that there is transparency in
critical systems, but election software and machines seem to have become an
exception.

Wagner, who co-authored a report that prompted the end of a proprietary,
governmental e-voting experiment that was found to be totally insecure, said
anything short of publicly available code is not open enough.

“I don’t see limitations on who can look at source code as making any
sense,” Wagner said. “It should be viewed as a tacit admission that it’s not
secure enough. It’s a mistake to think of secrecy as a security measure
because it’s not.”

Wagner said although most election officials are not code hackers and
have not demanded access to source code, there is growing pressure to make
election software and systems open to inspection and analysis. As for the
top voting vendors, Wagner said they have a vested interest in keeping code
closed.

“I think companies see keeping code secret as an important barrier to
entry that enables them to stay business competitive,” Wagner said.