Re: The case for open-source software in elections

From: David RR Webber \(XML\) <"David>
Date: Thu Feb 08 2007 - 11:39:47 CST
Hamilton,
 
This is very well reasoned.  I would add a couple more pieces to
the puzzle.
 
For me - trust is established when you are using open source software
that is conforming to an open public specification of process and
voting records and artifacts.
 
The fact that you have open source and open specification of the voting
means you can actually check the code to see if it is doing what you
expect.  Just having open source of something that you have only
a vague inkling of what it is doing - clearly falls into the tars pits
you note below (if you don't know what it is doing, how can you
know it is not doing something else as well?!?)
 
Further - again following your rationale - the beauty of the open setup is
that you can greatly simplify testing by focusing on the outputs and
controls at the pivot points between functional components and
develop conformance and testing suites to verify those. (Something
NIST BTW is very good at - but so far they've not been able to get at
because of the heel dragging over adopting an open public standard).
 
And then interoperability can be used as a further "blackbox" test -
since if components A, B, C, X, Y, Z all follow the standards - then
they should be interchangable without changing the final result.
 
The other missing piece is then a set of mechanisms that are designed
to provided trusted means of auditing and verifying the election
and count.   These are analogous to accounting practices for double
entry ledger, etc, and involve the production of at least two or more
separate and independent countable record sets.
 
So when I refer to a trusted voting system - I expect to see all of
these aspects manifested, and I agree - this will then make the
current onerous and totally pointless certification process a
classic history lesson example of "how not to do it".  I've felt this
since day-one of reviewing the HAVA and EAC work in this area -
"OK - this is a completely futile exercise that proves nothing except
 keeping lawyers at bay through obfuscation and complexity and
 provides a salve to the general public - your voting systems are
 certified".  So of course was the SS Titanic.
 
Thanks, DW

"The way to be is to do" - Confucius (551-472 B.C.)


-------- Original Message --------
Subject: [OVC-discuss] The case for open-source software in elections
From: "Hamilton Richards" <hrichrds@swbell.net>
Date: Wed, February 07, 2007 9:41 pm
To: "Open Voting Consortium discussion list"
<ovc-discuss@listman.sonic.net>

There's a good case to be made for open-source software in elections,
but that case has nothing to do with security, i.e., protection
against vote-counting fraud or error.

One of the supposed benefits of software transparency is that it
allows for the software to be tested by independent third parties.
But testing does not yield security; as Dijkstra observed many years
ago, "program testing can be used very effectively to show the
presence of bugs, but never to show their absence." [1] In e-voting
terms, testing can show that a machine is capable of counting votes
correctly, but cannot show that it is incapable of counting votes
incorrectly (how's that for a triple negative?).

Another supposed benefit of software transparency is that it allows
for the software to be inspected by independent third parties. But
where security is concerned, software inspection is no more useful
than testing. This was demonstrated as long ago as 1984 by Ken
Thompson in his Turing Award lecture, in which he concluded that

     No amount of source-level verification will protect
     you from using untrusted code. [2]

A recent NIST draft white paper recognized the futility of the quest
for trustworthy election software when it called for "software
independence", which it defined as follows:

     A voting system is software-independent if a previously
     undetected change or error in its software cannot cause
     an undetectable change or error in an election outcome. [3]

In short, software alone cannot be relied upon to count votes
correctly. Hence if software is used at all in elections, it must be
backed up by independent voter-verified paper ballots. (I would argue
that it should have no purpose other than to produce those ballots.)

So far my argument --that making e-voting software transparent does
not enhance security-- may seem entirely negative. This recognition
does, however, have plenty of positive consequences. If we're not
depending on open-source software to count votes correctly, the
stringency of the safeguards surrounding its production,
distribution, installation, and operation can be significantly
relaxed. We can more readily accept the use of COTS firmware in disk
controllers, video cards, and printers, and COTS software for
components not (yet) available in open source. It's no longer so
crucial to ensure that the software that has been certified is the
software that's actually running (not an easy problem [4]). The
stakes are lower all around, and the outfits that certify election
software can concentrate on attributes that are actually testable,
such as the suitability of the human interface, both for voters
casting ballots and for election officials installing and configuring
the software and setting up ballot templates. [I should point out
that one risk remains, viz., DOS attacks shutting down the machines
in certain precincts. That problem needs to be addressed, but I'm not
addressing it here.]

If not security, then what is the case for open source? Brian D.
Newby, Election Commissioner, Johnson County, Kansas said it well--
Open source would free e-voting equipment purchasers from captivity
by the vendors.[5]

As things stand, a jurisdiction's choice of voting-machine vendor
establishes a long-term relationship from which the customers cannot
escape without writing off their entire investment. The vendor's
proprietary e-voting hardware runs only the vendor's proprietary
software.  For maintenance, upgrades, additional purchases, and setup
assistance, the customer must accept whatever service the vendor
wants to provide, at whatever price the vendor wants to charge.

In an open-source regime, the vendors would have to compete not only
for the initial sale, but for ongoing service and subsequent sales.
If the open-source software were designed to run on commodity PCs,
the market would be open to small-business entrepreneurs, and
elections would once again be in the hands of the citizenry.

References

1. Edsger W. Dijkstra, "The Programming Task Considered as an
Intellectual Challenge."
<http://www.cs.utexas.edu/users/EWD/ewd02xx/EWD273.PDF>

2. Ken Thompson, "Reflections on Trusting Trust." Communications of
the ACM 27, 8 (Aug 1984): 761-763.
<http://portal.acm.org/citation.cfm?doid=358198.358210> (Sorry, that
archive is for subscribers only; if you want a copy, send me an
e-mail.)

3. "Requiring Software Independence in VVSG 2007: STS Recommendations
for the TGDC." NIST, November 2006.
<http://vote.nist.gov/DraftWhitePaperOnSIinVVSG2007-20061120.pdf>

4. Sean Whaley, "Former gaming official sent to jail for slot scam."
Las Vegas Review Journal, 10 January 1998
<http://www.reviewjournal.com/lvrj_home/1998/Jan-10-Sat-1998/news/6745681.html>

5. Brian D. Newby, Election Commissioner, Johnson County, Kansas
<http://www.openvotingconsortium.org/supporters>

_______________________________________________
OVC-discuss mailing list
OVC-discuss@listman.sonic.net
http://lists.sonic.net/mailman/listinfo/ovc-discuss

_______________________________________________
OVC-discuss mailing list
OVC-discuss@listman.sonic.net
http://lists.sonic.net/mailman/listinfo/ovc-discuss

==================================================================
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
==================================================================
Received on Wed Feb 28 23:17:14 2007

This archive was generated by hypermail 2.1.8 : Wed Feb 28 2007 - 23:17:27 CST