Open source: How e-voting should be done
- 28 October, 2008 09:43
"It is enough that the people know there was an election. The people who cast the votes decide nothing. The people who count the votes decide everything." -- Joseph Stalin
In the past eight years, elections in the United States have taken on the guise of a TV game show, with the elections themselves not quite as compelling as watching voting mechanisms fail across the country, especially in key battleground states. Pols and pundits from both sides of the aisle are quick to place most of the blame on faulty electronic voting systems. But until the US sets a technical policy that favors open voting systems, as Australia did in 2001 with its open source eVACS (Electronic Voting and Counting System), we have only ourselves to blame.
The closed source approach to disenfranchisement
Current US policy ensures that e-voting remains in the hands of very few proprietary vendors, including the much-maligned Diebold, which has received so much bad press that it has renamed its voting machine division Premier Election Solutions.
Don't let the new name fool you. Little has changed about e-voting systems, which take on several forms, including the two most common: touchscreen devices and optical-scan readers. What they have in common, however, is that they all use closed source code. In many cases, even the manufacturers don't have the source code to software running on their own systems. Premier Election Solutions recently advised that its machines lost votes in Ohio primaries due to an incompatibility with McAfee's anti-virus software. In the words of XKCD, someone is clearly doing their job horribly wrong. Later, Premier claimed that its own software was at fault.
More often than not, however, blame for e-voting failure is placed on the storage media of these devices, either due to their relative fragility or their apparent ease of tampering.
When results from elections conducted on e-voting systems are called into question, manufacturers point the finger at defective "memory cartridges." Those of us in IT know that if all flash storage were this error-prone, digital cameras and iPods wouldn't exist. Worse, we know it's far simpler to pocket or swap out a small flash card containing a few thousand votes than it would be if those votes were recorded on paper ballots.
Another problem of current e-voting systems is that many still in operation provide no paper trail. Americans can't fill up their cars or access their bank accounts from an ATM without being prompted to print a receipt, but in many voting precincts, we can vote with nothing tangible to show for it.
Page BreakMost voters already know these systems are flawed. It's the relative lack of outrage that is troubling. Perhaps trust in the electoral process is still sufficient to assuage fears of stolen elections, or the issue of flawed voting technology itself has become a running joke, like cracks about an honest politician. Even The Simpsonsparodied the situation recently.
Those of us who live in IT every day know better. We know exactly how poorly designed some software frameworks are. We see the security challenges presented by Web servers, mail servers, remote access, and so on, but when it comes to the foundation of our democracy, we just shake our heads and move on.
Maybe it's time for us geeks to come to the rescue, with a little help from Congress. We've built the Internet, designed staggeringly complex technologies for conducting lightning-speed financial transactions, securing sensitive patient data, even our own entertainment. After all, you'd be hard-pressed to say that there's more complexity in an e-voting machine than in, say, your TiVo or even your mobile phone.
But the key to securing e-voting resides in making its systems open source.
Opening the polls to open source
If you look around the open source community, you will find a wide variety of projects that are not only widely used but extremely well designed and very secure. Apache, Perl, PHP, OpenBSD, FreeBSD, and the Linux kernel are just a few examples. Coders who contribute to these projects generally do so without remuneration, producing some of the best code available.
It's time for us to make good on the promise of open elections and open our e-voting systems as well -- no black boxes, no intellectual property protections, no obfuscation, and certainly no backdoors. Doing so would require a federal mandate, one that would eliminate the use of closed source devices.
This being a free-market economy, vendors should certainly be able to participate in the construction of truly secure e-voting systems. But to ensure the integrity of our elections, the code they run on their products must be open. Moreover, it should be the same across all e-voting platforms. Just as the PC industry produces multiple PC brands that all run Windows, e-voting vendors should produce systems that run the same open source voting software.
Page BreakThe open source community has already gotten involved in reshaping our approach to e-voting systems. The Open Voting Consortium, for example, is pushing for simple, standard touchscreen voting systems that do not directly interface with any system, or record votes. These systems would simply print paper voting receipts with bar codes that would then be scanned and dropped into a ballot box, officially casting the vote.
This method removes the need for any polling station to be held responsible for counting votes, thus eliminating any effect tampering with machines might have on results. It also ensures a paper trail for potential recounts. Moreover, by relying on paper in printers rather than official ballots, no voter can be turned away for lack of ballots at a polling place.
This solution is cheap and straightforward, yet isn't widely used. Instead, we have spent billions of dollars on commercial solutions that offer no paper trail -- just a poor security history.
One recent example involved a Republican at-large election in Washington, D.C., in which thousands of votes appeared and then disappeared during the day. Sequoia Voting Systems equipment was used for that election. Not surprisingly, Sequoia has laid the blame for those phantom votes on human error, perhaps a corrupt memory cartridge. Retailers wouldn't accept cash registers that were this error-prone. In many cases, brand-new e-voting systems have been shelved due to such issues, at a fantastic cost to taxpayers.
Network integrity: Ensuring all votes count
Leveraging existing network infrastructures to completely remove the polling place from the vote-counting equation is another essential step to ensuring secure elections.
In many cases, public polling is conducted in government buildings, schools, community centers, and other facilities equipped with some form of broadband Internet access. Devices running open source software could be made to create an instant, encrypted link to transmit all votes to a centralized server, while still providing a paper trail at the polling place in the form of a printout.
In this way, votes from a significant number of precincts could be counted as they are entered, rather than after the fact. Communication with the central server would be secured using existing encryption methods such as AES (Advanced Encryption Standard) and certificate-based authentication. Even when voting in someone's garage, your vote would be more secure than it would be using a pile of flash cards in a box.
Page BreakIn addition, these devices wouldn't require manual configuration. Once connected and authenticated to the central server, all ballot choices would be pulled from the central server for display to the voter. Thus, setting up the polling place would simply require volunteers to plug everything in and turn the systems on.
Of course, connectivity to the central server is sure to be this solution's weakest link. Though all transactions would be encrypted, the system would also need to incorporate a queuing method to retain votes until the server is available. This functionality could also maintain vote integrity even where Internet connectivity is not available. Simply connect the device to the network at a later time, and the votes are delivered to the central server. As above, paper receipts of each vote would be made available as they were cast, as a fallback should problems occur.
Open source in the voting booth
Anyone familiar with current e-voting technologies will note that the logistics of this solution are no more or less complex than those of existing systems. The key, however, is that they would be driven by open source code that anyone could download and use.
With all the covers off, it becomes extremely difficult to embed backdoors or commit cloak-and-dagger fraud. The ability to view the code that records our votes should be a basic right -- if only to ensure that the conditions leading to a successfully recorded vote do not set success as a default.
The best bet for an open voting system would be code based on NetBSD or OpenBSD, embedded in nonremovable flash on the mainboard of the device. The device would also require a serial or USB-driven touchscreen, as well as a USB-connected, embedded printer. Code updates to the device would not be allowed via the touchscreen, but rather through a certificate or key-secured USB or serial connection.
Such a device would be less complex than a McDonald's cash register, running extremely basic, open code that's been hardened for years, and can be easily reduced to only the required functions. There's no reason it couldn't be cheap, simple, and extremely easy to produce. Further, it should easily handle being mothballed for a year or two between elections.
Detractors will claim that if the code is open, anyone planning to commit fraud will have the blueprints to circumvent the security of the system. The ever-growing adoption of open source software in businesses large and small, as well as the Internet's reliance on open source solutions, provides evidence to the contrary. For example, open cryptography solutions are no less secure than their closed counterparts. In fact, one could argue that they're more secure, given that complete code visibility greatly reduces the potential for backdoors.
Open elections require open systems
Ultimately, the call for open source e-voting systems isn't as much about open source software as it is about securing our inalienable right to legitimate elections. It just so happens that open source is the best way to accomplish that goal.
If the past few elections are any indication, secure voting machines are essential to political legitimacy. With machines sold by companies that produce far more secure ATMs than voting systems, something must change, especially as the inaccuracies and irregularities incurred by these systems continue to mount. No effective steps have been taken by the government thus far to address the integrity of our vote, other than small measures by state and county governments that have already blown budgets on insecure systems.
In 2002, Congress passed the Help America Vote Act in response to the hanging-chad debacle of Florida's 2000 presidential elections. The act's main thrust was to provide money to states to replace outdated punch-card- and lever-based voting systems with optical-scan or touchscreen models. The act largely accomplished that goal, filling the coffers of closed source voting system manufacturers. In doing so, the act may have inadvertently placed the country in a worse situation, given how difficult it is to rig large numbers of votes with punch card or lever systems. By contrast, a single poorly designed e-voting machine can be used to covertly modify large numbers of votes.
Of course, even with a paper ballot cast in a locked box, there have never been fail-safe assurances that any given vote has been counted and recorded. Human error and malfeasance are sure to be constants.
Yet in every industry, computers have reduced or eliminated human error and guarded against fraud. From banking to taxes to tollbooths, computers ostensibly provide a dispassionate third party to tally numbers, not as we might wish them to be but as they are. Voting systems are no exception, and they should be afforded far more protections, oversight, and regulation than those in most other industries as they protect the very foundation for our democracy.
The law has always trailed behind technical innovation. In the case of e-voting, Congress must act to close this gap, by passing legislation to provide grants for developing a single, open framework for all voting systems and to provide funds to states to retrofit existing hardware where possible.
Page BreakThis "Open Vote Act" should also enact laws that prohibit the use of any voting system that does not provide a paper audit trail, and it should mandate that companies use government-approved voting code without modification when building proprietary systems. If we can nationalize big banks and spend a trillion dollars to recover from the irresponsible actions of a relative few, we can certainly nationalize portions of our voting infrastructure. There's too much at risk to think otherwise.
Hanlon's razor: IT's call to action
As we head into the 2008 elections, we all hope that there are no surprises come Election Day. The media will hang on every instance of voting-system inaccuracy, and we're sure to hear from voters across the country who have been inadvertently disenfranchised by malfunctioning e-voting systems.
Here, Hanlon's razor ("Never attribute to malice that which can be adequately explained by stupidity.") comes into play. If there are widespread problems with e-voting systems this time around, we have no one but ourselves to blame. We have seen the flaws of these systems, and we have not acted to correct the system that has given rise to them.
If voting irregularities occur during this election, let's hope the novelty of current e-voting systems will wear off for the population at large, giving way to meaningful voting reform in Washington. If everything seems to go smoothly, however, let's not just assume the issue of e-voting security has magically gone away.
Either way, those of us who know how computers work, who know how easy it is to slip backdoors into closed code, and who know how these problems should be addressed will always provide an undercurrent of distrust -- not just for our individual votes but for the entire elections system in general.
Isn't it time we put our knowledge into action?