[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Disclosure of software for voting systems

To: bcv@xxxxxxxxxxx
Subject: Disclosure of software for voting systems
From: Neal McBurnett <neal@xxxxxxxxxxxxxxxxx>
Date: Fri, 12 Dec 2003 15:26:33 -0700
Delivered-to: mailing list bcv@booyaka.com
List-help: <mailto:bcv-help@booyaka.com>
List-post: <mailto:bcv@booyaka.com>
List-subscribe: <mailto:bcv-subscribe@booyaka.com>
List-unsubscribe: <mailto:bcv-unsubscribe@booyaka.com>
Mailing-list: contact bcv-help@booyaka.com; run by ezmlm
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030625

I just wrote

Disclosure of software for voting systems http://bcn.boulder.co.us/~neal/elections/disclosure.html

and submitted it for the list of NIST position papers

http://vote.nist.gov/posstatementurls.html

I'll continue to polish it for a few days at least and welcome your
feedback.

Thanks,

Neal McBurnett http://bcn.boulder.co.us/~neal/
Signed and/or sealed mail encouraged. GPG/PGP Keyid: 2C9EBA60

----------

Disclosure of software for voting systems

Full disclosure is the only path to software that voters can trust.

Believers in democracy all agree it depends on verifiable elections. We repudiate the sneering words of Nicaraguan dictator Anastasio Somoza "You won the election, but I won the count." [

1977]. The question is how to verify elections. Recently, consensus is growing around the need for a tangible, re-countable voter verified paper ballot as a key ingredient. That would be required by the Voter Confidence Act (HR 2239, S 1980). But another mandate of this important legislation is less well publicized or understood - the requirement to disclose the source code to any citizen.

Paper ballots are only helpful if they are counted in a verifiable way. Previous practice has been to require that the source code for the software for ballot counting systems be reviewed by a third-party organization. But recent history has demonstrated that these reviews have missed major flaws. In four major systems that had already been certified, independent reviews have shown that the software has multiple flaws. [Johns Hopkins, SAIC, Ohio Secretary of State's office]. The election industry is finally beginning to learn what other industries have known for a while now: writing secure software is really hard. And it is harder still when we also need to preserve the anonymity of the voter.

One instinctual notion is "Security through Obscurity". I.e. some people think the systems should be designed in secret and hidden from as many people as possible. But decades of research and experience now show that in fact openness is the best approach in this sort of situation.

When the US wanted a new Advanced Encryption Standard (AES), they didn't rely on military spooks to design it with gazillions of dollars. They announced a public, open, worldwide competition. Algorithms were proposed and coded and disclosed and debated for years. The winning entry, from Belgium, was then presented to the world for free use.

The best model is electronic communications and commerce on the Internet. More secure web sites rely on "Open Source" software called Apache than anything else [2003].

A natural question is "But isn't it risky to allow absolutely anyone to look at your source code?". First we have to look at what risks we're worried about. Elections expert Douglas Jones writes "A trustworthy system of elections must rest on one central principle: Trust no-one". This is not out of paranoia, but simply because it's really important, and we don't have to trust anyone. The lack of security in the software that we currently use leaves elections vulnerable to manipulation by unscrupulous insiders, elections officials, and other savvy people. Full disclosure would induce the designers to be more careful, and provide them with assistance from the same enormous pool of talent that voluntarily contributed to AES and Apache.

A policy that limits code review to vendors and third-party reviewers means that the software will not benefit from the increased quality that comes from greater review, and thus remain vulnerable to manipulation by those who do have access to it.

There are different disclosure approaches. One option is to require that all the code be fully disclosed, but allow vendors to retain exclusive rights to sell it for use in elections. It would also be possible to require that the software be provided under an Open Source license which would allow anyone to reuse it, or to require use of the GNU Public License (GPL). Such "Free Software" also requires that people who make and distribute changes "share and share alike". But note that it is possible to buy support for both Free Software and Open Source software. We're talking about "free as in freedom".

My advice is to allow the laws to stop at full disclosure. This is more or less like requiring blueprints from building contractors. But I'd advise the people that acquire the systems and run the elections to recognize that using Free Software has big advantages. One is freedom from the risk that the vendor will go out of business.

Now you're thinking "Isn't this just pie in the sky? Who would really write and give away a free election system?" Well, one such system is already in use in Australia. EVACS beat out proprietary rivals in a competition. It is provided by a company named Software Improvements. Similar development projects are underway elsewhere.

Neal McBurnett

Last modified: Fri Dec 12 14:51:52 MST 2003

Prev by Date: DRAFT: CVV Press Release
Next by Date: Fwd: Avante System Disclosure Statement
Previous by thread: Re: DRAFT: CVV Press Release
Next by thread: Fwd: Avante System Disclosure Statement
Index(es):
- Date
- Thread