Re: Respose to Joe Hall: Transparency and Access to Source Code in Electronic Voting

From: Joseph Lorenzo Hall <joehall_at_gmail_dot_com>
Date: Sat Jul 29 2006 - 20:31:27 CDT

Thanks again for great feedback. While the comparison to Linux is
easy to make, Linux was not an ugly commercial project and then
suddenly its source was opened. For example, could you imagine what
would happen in the short-term if all of Windows was released under
GPLv2only tomorrow? How could we take something like Windows (or
BallotStation and GEMS) and go from purely commercial to open source?

I believe there needs to be some transitional procedure and I think
it's going to take the cooperation of a bunch of constituencies. I
also think that the transition should include a wider disclosure of
source code culminating in public disclosure. Something that makes
sense to me is if a vendor decided to voluntarily open its source to a
limited group of people* in order to encourage finding holes, flaws,
etc. and then after a round of that, to a wider group of people (say
technical activists) and then finally to go public. If anyone knows
of how a business has done something like this before and not
suffered, let me know. -Joe

* And, yes, I'm not sure how the state or vendor or anyone chooses
these people. I've brainstormed about this and nothing seems
particularly good to me.

On 7/29/06, Arthur Keller <> wrote:
> Dear Joe,
> I'd like to focus on the issue of the risk vs. benefit of public
> disclosure of the source code, with redactions only for passwords.
> 1. Linux appears to have better security than Windows, in part due to
> its focus on security and the fact that the source is disclosed.
> Linux does not rely on "security through obscurity" and its security
> has not been adversely compromised by disclosure.
> 2. While limited access to materials (e.g, military security
> clearances) is often done due to legitimate security concerns, it is
> also often used to avoid embarrassment or accountability. Notably,
> in the original case that led to the US Supreme Court's decision on
> state secrets litigation, the real reason was to avoid accountability
> as the government was actually at fault and the litigation could have
> proceeded without disclosure.
> 3. While I personally have respect for those who are involved in the
> ACCURATE project, why should we have any more faith in those who do
> the extra screening suggested by Joe Hall than in the ITAs who are
> tasked with this screening in the first place? The failings of ITA
> screening have been exposed at the California State Senate hearing on
> the matter earlier this year. Do Joe Hall's screeners have any
> better access to the voting systems than the ITA did?
> 4. The concept of votes cast in secret and tallied in public is
> incompatible with voting system software being trade secrets.
> Published source retains intellectual property rights, such as
> copyright and patent rights. I'm not suggesting that those rights be
> removed, but that trade secret rights are incompatible.
> 5. There are those, such as Ron Crane, who argue that public
> disclosure of the software is insufficient because not everyone can
> inspect the system. It is true that not everyone has the time and
> expertise to inspect the system, but the key issue is that it should
> be true that everyone MAY inspect the system. This right to inspect
> the system includes the right to hire the expect of ones choosing to
> inspect the system, or to assemble a group to inspect the system or
> to arrange for such an inspection. Full disclosure of the system is
> itself a deterrent against placing fraudulent code because of the
> potential for discovery.
> 6. A similar argument applies if only a fraction of those voting
> actually check the paper record (paper trail) of their votes on a DRE
> voting machine. If 1/3 of the people check, and if there are
> appropriate public audits comparing the paper trails with the
> electronic ballot reporting, then the risk of fraud or error is
> reduced because those who do check their records will detect the
> discrepancy. After all, the voting machine does not know in advance
> who will and who won't check their paper record. Of course, this
> checking of the paper record is made easier if the summary of the
> vote remains visible on the voting machine when the paper record is
> printing. The Sequoia voting machine used in Santa Clara County
> instead clears the summary of the vote off the screen and replaces it
> with confusing instructions.
> 7. It is not clear to me that it is possible to completely eliminate
> all potential for fraud and error, even in precinct-based
> hand-counting of paper ballots. Our goal should be to reduce the
> potential for fraud and error as much as practicable, and to increase
> the likelihood of catching fraud and error as much as practicable.
> Public disclosure of the source code and all processes and procedures
> does more to achieve these goals than does selective disclosure or
> inspection only by selected "experts."
> 8. If existing voting systems are so poorly written that they must
> rely on "security through obscurity," then the software in those
> systems should be replaced expeditiously with software (open source
> OR proprietary published software) that can withstand public
> scrutiny. The concept that existing systems should be kept secret as
> a security measure should be a stopgap towards their replacement, not
> a permanent artifact. And once these existing systems are replaced,
> then there is no reason why they should be publicly disclosed so that
> we can see for ourselves whether they were or could have been avenues
> for fraudulent activity.
> Best regards,
> Arthur
> At 4:22 PM -0700 7/28/06, Joseph Lorenzo Hall wrote:
> >I agree with some of what you say and disagree with some of it. This
> >is, of course, the first step in a line of related research and I had
> >16 pages in which to take this first step. Thanks for your feedback
> >and I will work to strengthen the work as I go forward. -Joe
> >
> >On 7/28/06, Alan Dechert <> wrote:
> >> Joe, I read your paper titled Transparency and Access to Source Code in
> >> Electronic Voting [1]. I'm glad you wrote this. You explore several issues
> > > that need discussion but aren't covered anywhere. My response follows ....
> --
> -------------------------------------------------------------------------------
> Arthur M. Keller, Ph.D., 3881 Corina Way, Palo Alto, CA 94303-4507
> tel +1(650)424-0202, fax +1(650)424-0424
> _______________________________________________
> OVC-discuss mailing list

Joseph Lorenzo Hall
PhD Student, UC Berkeley, School of Information
OVC-discuss mailing list
= The content of this message, with the exception of any external 
= quotations under fair use, are released to the Public Domain    
Received on Mon Jul 31 23:17:08 2006

This archive was generated by hypermail 2.1.8 : Mon Jul 31 2006 - 23:17:10 CDT