[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Wired: Aussies use open-source voting

http://www.wired.com/news/ebiz/0,1272,61045,00.html?tw=wn_tophead_1

Aussies Do It Right: E-Voting

By Kim Zetter

02:00 AM Nov. 03, 2003 PT

While critics in the United States grow more concerned each day about
the insecurity of electronic voting machines, Australians designed a
system two years ago that addressed and eased most of those concerns:
They chose to make the software running their system completely open
to public scrutiny.

Although a private Australian company designed the system, it was
based on specifications set by independent election officials, who
posted the code on the Internet for all to see and evaluate. What's
more, it was accomplished from concept to product in six months. It
went through a trial run in a state election in 2001.

Critics say the development process is a model for how electronic
voting machines should be made in the United States.

Called eVACS, or Electronic Voting and Counting System, the system was
created by a company called Software Improvements to run on Linux, an
open-source operating system available on the Internet.

Election officials in the Australian Capital Territory, one of eight
states and territories in the country, turned to electronic voting for
the same reason the United States did -- a close election in 1998
exposed errors in the state's hand-counting system. Two candidates
were separated by only three or four votes, said Phillip Green,
electoral commissioner for the territory. After recounting, officials
discovered that out of 80,000 ballots, they had made about 100
mistakes. They decided to investigate other voting methods.

In 1999, the Australian Capital Territory Electoral Commission put out
a public call for e-vote proposals to see if an electronic option was
viable. Over 15 proposals came in, but only one offered an open-source
solution. Two companies proposed the plan in partnership after
extensive consultation with academics at Australian National
University. But one of the companies later dropped out of the project,
leaving Software Improvements to build the system.

Green said that going the open-source route was an obvious choice.

"We'd been watching what had happened in America (in 2000), and we
were wary of using propriety software that no one was allowed to see,"
he said. "We were very keen for the whole process to be transparent so
that everyone -- particularly the political parties and the
candidates, but also the world at large -- could be satisfied that the
software was actually doing what it was meant to be doing."

It took another year for changes in Australian law to allow electronic
voting to go forward. Then in April 2001, Software Improvements
contracted to build the system for the state's October election.

Software Improvement's Matt Quinn, the lead engineer on the product,
said the commission called all the shots.

"They, as the customer, dictated requirements including security and
functionality, (and they) were involved at every step of the
development process, from requirements to testing," Quinn said. "They
proofed every document we produced."

The commission posted drafts as well as the finished software code on
the Internet for the public to review.

The reaction was very positive.

"The fact that the source code had been published really deflected
criticism," Quinn said.

A few people wrote in to report bugs, including an academic at the
Australian National University who found the most serious problem.

"It wasn't a functional or a security issue but was a mistake
nonetheless, and one that we were glad to have flagged for us," said
Quinn.

In addition to the public review, the commission hired an independent
verification and validation company to audit the code, "specifically
to prevent us, as a developer, from having any election-subverting
code in there," Quinn said.

"We were concerned that it wouldn't be secure enough," said Green, the
electoral commissioner. The audit was performed specifically to search
for security weaknesses in the system, but Green says the researchers
found none.

The state tested 80 machines in the election, distributed among eight
polling places throughout Canberra (the country's capital). A
comparative manual count after the election showed that the system
operated accurately.

The plan is to use the 80 machines again next year, but Quinn said the
difficulty in deploying the system nationwide is that it would have to
be adapted for use over larger geographic areas.

The machines are not what Quinn would call high-tech. The voting
terminal consists of a PC and offers ballots in 12 languages,
including Serbian and Farsi. The system includes English audio for
vision-impaired and illiterate voters.

The voter swipes a bar code over a reader that resets the machine for
a new vote and calls up a ballot. Once a selection is made and
reviewed, the voter swipes the bar code again to cast the vote. The
bar code doesn't identify the voter; it simply authorizes the voter to
cast one ballot.

The terminals link to a server in each polling place through a secure
local-area network so no votes are transmitted over the Internet or
phone lines.

Quinn said the server writes two copies of the votes onto separate
discs that are digitally signed and delivered independently to a
central counting place. The digital signature is a 128-bit unique
identifier generated from the voting data. If the data were changed in
transit, the identifier would change too, raising red flags that
something went wrong.

The machine does not include a voter-verifiable receipt, something
critics of U.S. systems want added to machines and voting machine
makers have resisted.

A voter-verifiable receipt is a printout from the machine, allowing
the voter to check the vote before depositing the receipt into a
secure ballot box at the polling station. It can be used as a paper
audit trail in case of a recount.

Green said the commission rejected the printout feature to keep
expenses down. The system cost $125,000 to develop and implement. The
printouts would have increased that cost significantly, primarily to
pay for personnel to manage and secure the receipts and make sure
voters didn't walk off with them.

Quinn, however, thinks all e-voting systems should offer a receipt.
"There's no reason voters should trust a system that doesn't have it,
and they shouldn't be asked to," he said.

"Why on earth should (voters) have to trust me -- someone with a
vested interest in the project's success?" he said. "A voter-verified
audit trail is the only way to 'prove' the system's integrity to the
vast majority of electors, who after all, own the democracy."

As for the costs of securing and storing such receipts, Quinn said,
"Did anyone ever say that democracy was meant to be cheap?"

Quinn also believes that voting systems must use open-source software.

"The keystone of democracy is information," he said. "You have a big
problem when people don't have enough information to make up their
minds or, even worse, they have misleading information and make up
their minds in a way that would be contrary to what they would decide
if they had the full story.

"Any transparency you can add to that process is going to enhance the
democracy and, conversely, any information you remove from that
process is going to undermine your democracy."

The issues of voter-verifiable receipts and secret voting systems
could be resolved in the United States by a bill introduced to the
House of Representatives last May by Rep. Rush Holt (D-New Jersey).
The bill would force voting-machine makers nationwide to provide
receipts and make the source code for voting machines open to the
public. The bill has 50 co-sponsors so far, all of them Democrats.

"If a voting system precludes any notion of a meaningful recount, is
cloaked in secrecy and controlled by individuals with conflicts of
interest, why would anyone buy it?," Quinn said. "At the very least
give citizens the right to choose whether they want to use paper
ballots ... thus allowing each elector to be personally satisfied as
to the integrity of the process in which they are participating."

Quinn, who was working in Chicago for Motorola during the 2000
presidential election, says he is "gob smacked" by what he sees
happening among U.S. electronic voting machine makers, whom he says
have too much control over the democratic process.

It has been widely reported that Ohio-based Diebold Election Systems,
one of the biggest U.S. voting-machine makers, purposely disabled some
of the security features in its software. According to reports the
move left a backdoor in the system through which someone could enter
and manipulate data. In addition, Walden O'Dell, Diebold Election
System's chief executive, is a leading fundraiser for the Republican
Party. He stated recently that he was "committed to helping Ohio
deliver its electoral votes to the president next year.''

"The only possible motive I can see for disabling some of the security
mechanisms and features in their system is to be able to rig
elections," Quinn said. "It is, at best, bad programming; at worst,
the system has been designed to rig an election."

"I can't imagine what it must be like to be an American in the midst
of this and watching what's going on," Quinn added. "Democracy is for
the voters, not for the companies making the machines.... I would
really like to think that when it finally seeps in to the collective
American psyche that their sacred Democracy has been so blatantly
abused, they will get mad."

But he says that the security of voting systems in the U.S. shouldn't
concern Americans alone.

"After all, we've all got a stake in who's in the White House these
days. I'm actually prone to think that the rest of the world should
get a vote in your elections since, quite frankly, the U.S. policy
affects the rest of the world so heavily."