The case for open-source software in elections

From: Hamilton Richards <hrichrds_at_swbell_dot_net>
Date: Wed Feb 07 2007 - 20:41:05 CST

There's a good case to be made for open-source software in elections,
but that case has nothing to do with security, i.e., protection
against vote-counting fraud or error.

One of the supposed benefits of software transparency is that it
allows for the software to be tested by independent third parties.
But testing does not yield security; as Dijkstra observed many years
ago, "program testing can be used very effectively to show the
presence of bugs, but never to show their absence." [1] In e-voting
terms, testing can show that a machine is capable of counting votes
correctly, but cannot show that it is incapable of counting votes
incorrectly (how's that for a triple negative?).

Another supposed benefit of software transparency is that it allows
for the software to be inspected by independent third parties. But
where security is concerned, software inspection is no more useful
than testing. This was demonstrated as long ago as 1984 by Ken
Thompson in his Turing Award lecture, in which he concluded that

      No amount of source-level verification will protect
      you from using untrusted code. [2]

A recent NIST draft white paper recognized the futility of the quest
for trustworthy election software when it called for "software
independence", which it defined as follows:

      A voting system is software-independent if a previously
      undetected change or error in its software cannot cause
      an undetectable change or error in an election outcome. [3]

In short, software alone cannot be relied upon to count votes
correctly. Hence if software is used at all in elections, it must be
backed up by independent voter-verified paper ballots. (I would argue
that it should have no purpose other than to produce those ballots.)

So far my argument --that making e-voting software transparent does
not enhance security-- may seem entirely negative. This recognition
does, however, have plenty of positive consequences. If we're not
depending on open-source software to count votes correctly, the
stringency of the safeguards surrounding its production,
distribution, installation, and operation can be significantly
relaxed. We can more readily accept the use of COTS firmware in disk
controllers, video cards, and printers, and COTS software for
components not (yet) available in open source. It's no longer so
crucial to ensure that the software that has been certified is the
software that's actually running (not an easy problem [4]). The
stakes are lower all around, and the outfits that certify election
software can concentrate on attributes that are actually testable,
such as the suitability of the human interface, both for voters
casting ballots and for election officials installing and configuring
the software and setting up ballot templates. [I should point out
that one risk remains, viz., DOS attacks shutting down the machines
in certain precincts. That problem needs to be addressed, but I'm not
addressing it here.]

If not security, then what is the case for open source? Brian D.
Newby, Election Commissioner, Johnson County, Kansas said it well--
Open source would free e-voting equipment purchasers from captivity
by the vendors.[5]

As things stand, a jurisdiction's choice of voting-machine vendor
establishes a long-term relationship from which the customers cannot
escape without writing off their entire investment. The vendor's
proprietary e-voting hardware runs only the vendor's proprietary
software. For maintenance, upgrades, additional purchases, and setup
assistance, the customer must accept whatever service the vendor
wants to provide, at whatever price the vendor wants to charge.

In an open-source regime, the vendors would have to compete not only
for the initial sale, but for ongoing service and subsequent sales.
If the open-source software were designed to run on commodity PCs,
the market would be open to small-business entrepreneurs, and
elections would once again be in the hands of the citizenry.

References

1. Edsger W. Dijkstra, "The Programming Task Considered as an
Intellectual Challenge."
<http://www.cs.utexas.edu/users/EWD/ewd02xx/EWD273.PDF>

2. Ken Thompson, "Reflections on Trusting Trust." Communications of
the ACM 27, 8 (Aug 1984): 761-763.
<http://portal.acm.org/citation.cfm?doid=358198.358210> (Sorry, that
archive is for subscribers only; if you want a copy, send me an
e-mail.)

3. "Requiring Software Independence in VVSG 2007: STS Recommendations
for the TGDC." NIST, November 2006.
<http://vote.nist.gov/DraftWhitePaperOnSIinVVSG2007-20061120.pdf>

4. Sean Whaley, "Former gaming official sent to jail for slot scam."
Las Vegas Review Journal, 10 January 1998
<http://www.reviewjournal.com/lvrj_home/1998/Jan-10-Sat-1998/news/6745681.html>

5. Brian D. Newby, Election Commissioner, Johnson County, Kansas
<http://www.openvotingconsortium.org/supporters>

_______________________________________________
OVC-discuss mailing list
OVC-discuss@listman.sonic.net
http://lists.sonic.net/mailman/listinfo/ovc-discuss
==================================================================
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
==================================================================
Received on Wed Feb 28 23:17:13 2007

This archive was generated by hypermail 2.1.8 : Wed Feb 28 2007 - 23:17:27 CST