Re: Respose to Joe Hall: Transparency and Access to Source Code in Electronic Voting

From: Arthur Keller <voting_at_kellers_dot_org>
Date: Sat Jul 29 2006 - 20:16:27 CDT

Dear Joe,

I'd like to focus on the issue of the risk vs. benefit of public
disclosure of the source code, with redactions only for passwords.

1. Linux appears to have better security than Windows, in part due to
its focus on security and the fact that the source is disclosed.
Linux does not rely on "security through obscurity" and its security
has not been adversely compromised by disclosure.

2. While limited access to materials (e.g, military security
clearances) is often done due to legitimate security concerns, it is
also often used to avoid embarrassment or accountability. Notably,
in the original case that led to the US Supreme Court's decision on
state secrets litigation, the real reason was to avoid accountability
as the government was actually at fault and the litigation could have
proceeded without disclosure.

3. While I personally have respect for those who are involved in the
ACCURATE project, why should we have any more faith in those who do
the extra screening suggested by Joe Hall than in the ITAs who are
tasked with this screening in the first place? The failings of ITA
screening have been exposed at the California State Senate hearing on
the matter earlier this year. Do Joe Hall's screeners have any
better access to the voting systems than the ITA did?

4. The concept of votes cast in secret and tallied in public is
incompatible with voting system software being trade secrets.
Published source retains intellectual property rights, such as
copyright and patent rights. I'm not suggesting that those rights be
removed, but that trade secret rights are incompatible.

5. There are those, such as Ron Crane, who argue that public
disclosure of the software is insufficient because not everyone can
inspect the system. It is true that not everyone has the time and
expertise to inspect the system, but the key issue is that it should
be true that everyone MAY inspect the system. This right to inspect
the system includes the right to hire the expect of ones choosing to
inspect the system, or to assemble a group to inspect the system or
to arrange for such an inspection. Full disclosure of the system is
itself a deterrent against placing fraudulent code because of the
potential for discovery.

6. A similar argument applies if only a fraction of those voting
actually check the paper record (paper trail) of their votes on a DRE
voting machine. If 1/3 of the people check, and if there are
appropriate public audits comparing the paper trails with the
electronic ballot reporting, then the risk of fraud or error is
reduced because those who do check their records will detect the
discrepancy. After all, the voting machine does not know in advance
who will and who won't check their paper record. Of course, this
checking of the paper record is made easier if the summary of the
vote remains visible on the voting machine when the paper record is
printing. The Sequoia voting machine used in Santa Clara County
instead clears the summary of the vote off the screen and replaces it
with confusing instructions.

7. It is not clear to me that it is possible to completely eliminate
all potential for fraud and error, even in precinct-based
hand-counting of paper ballots. Our goal should be to reduce the
potential for fraud and error as much as practicable, and to increase
the likelihood of catching fraud and error as much as practicable.
Public disclosure of the source code and all processes and procedures
does more to achieve these goals than does selective disclosure or
inspection only by selected "experts."

8. If existing voting systems are so poorly written that they must
rely on "security through obscurity," then the software in those
systems should be replaced expeditiously with software (open source
OR proprietary published software) that can withstand public
scrutiny. The concept that existing systems should be kept secret as
a security measure should be a stopgap towards their replacement, not
a permanent artifact. And once these existing systems are replaced,
then there is no reason why they should be publicly disclosed so that
we can see for ourselves whether they were or could have been avenues
for fraudulent activity.

Best regards,

At 4:22 PM -0700 7/28/06, Joseph Lorenzo Hall wrote:
>I agree with some of what you say and disagree with some of it. This
>is, of course, the first step in a line of related research and I had
>16 pages in which to take this first step. Thanks for your feedback
>and I will work to strengthen the work as I go forward. -Joe
>On 7/28/06, Alan Dechert <> wrote:
>> Joe, I read your paper titled Transparency and Access to Source Code in
>> Electronic Voting [1]. I'm glad you wrote this. You explore several issues
> > that need discussion but aren't covered anywhere. My response follows ....

Arthur M. Keller, Ph.D., 3881 Corina Way, Palo Alto, CA  94303-4507
tel +1(650)424-0202, fax +1(650)424-0424
OVC-discuss mailing list
= The content of this message, with the exception of any external 
= quotations under fair use, are released to the Public Domain    
Received on Mon Jul 31 23:17:08 2006

This archive was generated by hypermail 2.1.8 : Mon Jul 31 2006 - 23:17:10 CDT