E-Voting Company Agrees To Let California See Its Source Code... But Includes Angry Threats
from the how-nice-of-them dept
In the ongoing effort to make sure that electronic voting machines used in public elections actually have some sort of real scrutiny, we've never had anyone convincingly explain why the source code for these voting machines shouldn't be made public. You may recall that a while back, in a post about some of the limitations being put on security experts trying to examine some of the machines, a representative from the firm Election Systems & Software Inc. (ES&S) showed up in our comments and responded to our questions not with any good reasons, but with insults to everyone here saying we couldn't possibly understand. When asked, point blank, about why he wouldn't let experts like Ed Felten and Avi Rubin test the machines, he responded by claiming that such experts are misleading in their reports and are publishing things solely for a profit motive (which is pretty laughable, if you've ever read either's writings and analysis -- which come across as exceptionally even-handed on these issues). The same guy also claimed that the e-voting companies have always willingly handed over source code to gov't agencies. Specifically he stated: "The companies have always complied with legitimate requests to test and inspect the software. They handed over their source code for review on multiple occasions and have never denied the request of any U.S. government authority to review the code or test the equipment." Of course, he didn't say they did so happily. When California came asking for the source code, ES&S certainly wasn't happy about it.You may recall that back in March, California's Secretary of State decided that anyone providing e-voting machines in California had to withstand independent testing from a group of security experts. This seems perfectly reasonable, and it's hard to come up with any reason not to do this... unless you're a company like ES&S whose machines have been caught counting votes in triplicate, among other things. Despite the claim that they "never denied the request of any U.S. government authority," ES&S certainly resisted the requests and only handed in the code three months late, along with an angry, petulant, threatening letter to the Secretary of State warning her that the company will hold the Secretary of State personally responsible "for any prohibited disclosure or use of ES&S' trade secrets and related confidential and proprietary information." Frankly, this should be reason enough to ban the company from having its e-voting machines used in elections. If the company is so worried about having its machines tested by security experts, then it shouldn't be in the business. Furthermore, for a free and fair election, there's simply no reason that the company shouldn't be required to make the core of its system freely available so that the voters of this country can actually trust that their votes are being accurately counted. It's not a crazy request. It's about protecting our fundamental right to vote. Apparently, ES&S doesn't respect that enough to prove to anyone that it can actually build a safe and secure machine that counts votes accurately.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
Yeah! What He Said!
I'm a representative of ES&S, and I think you're wrong on this. I could give you a whole list of reasons why, but it's a little complicated and I don't think you could understand.
PS This comment is strictly confidential and if any of it leaks out onto the Internets, I plan to hold you personally responible.
[ link to this | view in chronology ]
Re: Yeah! What He Said!
if not, i guarantee there are a giant list of reasons why source code from voting machines should be open and transparent.
anyone have a good link to where those are documented? i don't feel like typing that much here.
thanks,
and if i'm off, slap me in the back of the head.
[ link to this | view in chronology ]
Re: Yeah! What He Said!
[ link to this | view in chronology ]
The only thing..........
well that and proper grammar and punctuation .
[ link to this | view in chronology ]
ES&S
My question about some of this is what machines? Some of their models are nothing more than a touch screen attached to an inkjet printer to fill in the circles on the paper ballot. Others do keep a running tally. Others are counters of the paper ballots. And still others count the votes of various forms of storage media. All of counters either physically or electronically (most places simply carry the media by hand) link to a central system in the jurisdiction where the vote is tallied.
This is where human intervention comes in. It is at this point that a person can the wrong thing in the software and triplicate, quadruple, or even erase votes. My concern before you start blasting ES&S or anyone else for their machines, is to make sure that it is the machine, and not the human controlling it.
None of your articles have ever mentioned the machines involved, never once have said where in the process the problem happened.
What's the matter tech dirt, do you think that it's too complicated for us to understand.
[ link to this | view in chronology ]
Re: ES&S
[ link to this | view in chronology ]
Re: ES&S
My concern before you start blasting ES&S or anyone else for their machines, is to make sure that it is the machine, and not the human controlling it.
Thats the thing. In an old fashioned paper election if something seemed foul first thing to do is recount. If things still seem off and foul play is believed to be the reason the first suspects are the people handling the machines. The difference between paper and electronic is that there is no need for examining how a wood box with an opening on top was made. Yes a human may have made it but in order to rigged an old wooden ballet box you pretty much have to switch out the boxes altogether.
With the coming of electronic ballet boxes the chain of accountability has to be reviewed. Because you now have people writing programs to do the things you just mentioned. In order to tally votes the machine must be able to tell candidate A from candidate B. What's to stop a programmer from adding a little extra piece of code that tells it give a +2 instead of +1 on a certain candidate?
So basically I'm saying that accountabilty must be checked from ALL angles (from the programmer to courier that drops off and picks up the machines). Acting as if the code of a machine that is supposed the voice of the voting public is above reproach is just plain arrogant.
[ link to this | view in chronology ]
Re: ES&S
Regarding human intervention, if the manufacturer of the electronic system has satisfied the voters that it's equipment is solid, then we can examine the human factor confident that the fault doesn't lie in the machine. The machine which, by the way, was also designed, programmed, and built by the same fallible humans you are so quick to blame.
[ link to this | view in chronology ]
Re: ES&S
If you're building a voting machines whose sole purpose is to accurately and securely count votes without letting anyone vote twice, you should make damn sure that "human error" isn't possible for something like multiple counting of votes.
[ link to this | view in chronology ]
Doesn't matter if it's secure or not - there's no public confidence in it, in any event. These companies putting it together have been far too shady.
Hell, the source code should be made available to the public - period.
After all, it's the physical unit that needs secured. It's like a bank - it's one thing to know the design of the vault, it's quite another to actually crack it.
Counting votes in triplicate... what kind of idiot programmers do they have anyway? Is it really that hard to tally votes to a database??? Come on!!
[ link to this | view in chronology ]
How hard could it be?
[ link to this | view in chronology ]
Scratch ESS
[ link to this | view in chronology ]
From the links provided and the info available, this was not a threatening letter. It was purely the author stating that it had concerns over the examiners chosen and the examiners and the state would be held responsible for leaking any proprietary trade secrets. This is typical in ANY Non Disclosure Agreement and common within any industry. Every company has the right to protect their trade secrets, including ESS.
Now, I fully agree with the state being able to review the machines and the source code and independent experts should be part of the process. However, they also have an obligation to protect all proprietary code/technology provided for their review and should be held responsible if they leak trade secrets. This should not be viewed as an "Angry Threat".
As to the delay in providing the code, if they did not meet the states deadlines, then frankly they should be disqualified from the running. The state has the right to provide a reasonable timeline to make things available and if ESS wants to compete for the business, then they have an obligation to meet those deadlines. If they don't, then the State should just remove them from the running.
Unless there was other info not posted that constitutes this threat, then you really should stick to the facts instead of using emotionally charged words like "Angry Threat" to try and draw readers in.
Very disapointing journalism in this case.
[ link to this | view in chronology ]
There's NO Confidence Left
I'm sensitive to the question of company confidential information and I'm as concerned as the next guy that having source code available 'might' allow someone to exploit some part of the system to their own gains, and then I remember Linux. All of the source code is available for anyone to download, compile and play with. Has that caused Linux to become the number one exploited operating system? Nope, that honor remains with our friends in Redmond.
Here's the deal. I'm signed up for absentee ballots because I don't want to walk into my precinct, find a machine and have it be too late to cast my vote after refusing to use the machine. And I would refuse to use the machine.
ES&S should understand that the public has lost faith in the system and won't use if there is another alternative. If putting their code or their machines out there for public testing can help them regain the faith and part of the market share then they are stupid not to do it. Right?
Or is STUPID apropos?
[ link to this | view in chronology ]
Re: There's NO Confidence Left
However, I disagree with your comment about Linux. Linux is a niche product with an extremely small market share. Just like terrorists, if you want to inflict the most damage, you go after the crowded marketplace, not the lone bystander on the corner. In this case, the larger market share happens to be owned by MS and therefore, the more apealing target. It is not that Linux or Apple are inherrently better or more secure systems, it that they are niche players and therefore, not as interesting to hackers.
[ link to this | view in chronology ]
Re: Re: There's NO Confidence Left
This is simply false. Linux doesn't have an "extremely small market share." It depends on what you consider your market, but if you're looking at web servers, it has a very large market share.
But, more to the point, it's a HUGE target, in part because of the ability for anyone who successfully hacks it to gain lots of attention for hacking such a "secure" system. So to claim that hackers are ignoring it is wrong.
[ link to this | view in chronology ]
Re: Re: Re: There's NO Confidence Left
[ link to this | view in chronology ]
Re: Re: Re: There's NO Confidence Left
[ link to this | view in chronology ]
Voting Machines
[ link to this | view in chronology ]
Re: Voting Machines
[ link to this | view in chronology ]
Re: Re: Voting Machines
[ link to this | view in chronology ]
Re: Re: Re: Voting Machines
I don't have any experience with these machines to know what all is involved, but I have been involved in other s/w projects that were essentially DB applications and that provided reasonably simple functions such as counting. However, these applications were much more than a simple adding machine. Releasing the source code to the public would have put these vendors out of business. I am sure that is what ESS is concerned about. The amount of market data gathered by these machines would be exceptionally valuable. They could easily determine voting tendancies of specific districts. They could determine how long a person took to vote on a topic or candidate. They could use data to determine effectiveness of campaign efforts.
Release source code would expose all their functions/features that competitors could copy. This would put them at a competitive disadvantage. Therefore, yes, they have the right to protect their IP. Mandating that a private company release their IP is completely wrong and goes against a free market society.
Now, again, I believe that because they are providing a service to a population via Govt. Contracts, the Govt. has the right and obligation to the public to ensure that these machines operate correctly and with accuracy. Having independent experts review the code and ensure the correct operation is completely within the Govt. right to do so. However, I believe the Govt. also has the responsiblity to ensure that the IP is completely secure and not open to the public. If the code does get out and is traced back to the experts, then the govt. should be held accountable.
Furthermore, opening the code to the public only adds risk that the system security.
Burning the code to a prom and locking it down is good, but from a support perspective is inefficient. This limits the ability to update code as improvements are made. This would consume more resources and drive up costs. This would be a bad business model.
[ link to this | view in chronology ]
Re: Re: Re: Re: Voting Machines
You are over-complicating this. We DO NOT want the voting machines to do a "market analysis", just count the votes.
As far as "updates", how many updates could there possibly be when counting ones and zeros? New math, perhaps!!
Burning the program to a ROM and having it verified for accuracy and validity before insertion into the machine, lock down the machine with a good locking mechanism, an alarm system and a battery backup that allows legitimate voting, even without power.
[ link to this | view in chronology ]
Re: Re: Re: Re: Voting Machines
Already freely available! Voter registration, and how often you vote are available for 2.5 cents per name at voterlistsonline.com
If you want to harvest WHOM I voted for, then I suggest you have a good lawyer. Voting Rights section of Civil Rights Bill (among many many others) if I remember correctly.
"Furthermore, opening the code to the public only adds risk that the system security."
Again, a fundamental misconception. Security through obscurity is dangerous. Ever hear of peer review? Science mags do it. Imagine a scientist claiming he achieved cold-fusion but couldn't say how because of the security risk to his idea. Wait, that happens and those guys get laughed at...
"Releasing the source code to the public would have put these vendors out of business"
How??? These ppl shouldn't be selling the SOFTWARE! The value they bring is in their HARDWARE: nice touchscreens with a tape-roll. Competition should depend on ease-of-use, reliability, ergonomics, life-span, etc. Again, how many different ways can you count 1+1+1+1? Maybe the interfacing with components might be proprietary but if this ia vased on GNU Linux in the first place they ARE BREAKING THE LAW by not sharing the derivative code.
Of all the arguments for free software, the code THAT COUNTS OUR VOTES should be free and open to ANYONE to inspect. You want to sell the State a fancy box that runs the code, go for it!
[ link to this | view in chronology ]
Source Code
Besides, IF the source code were available, it would make it that much easier for the Republicans to rig an election, or have we forgotten GW's illegal occupancy of the White House?
[ link to this | view in chronology ]
Re: Source Code
[ link to this | view in chronology ]
Re: Re: Source Code
[ link to this | view in chronology ]
Re: Source Code
I'll forget it around the same time that I forget that John F Kennedy had the election rigged to have dead people vote for him. Both sides have corruption, give it a rest. This is about the source code on adding machines. It MUST be available.
[ link to this | view in chronology ]
What use is source code ?
You could maybe come up with a system where you build it yourself (although you'd have to trust the tools you use to do so) and then re-program the machine with the result (but not through a bootloader, because you can't trust it - you'd have to use something like a JTAG probe).
You might just about get all the machines done in four years, I guess :-)
[ link to this | view in chronology ]
may take a minute or two, but
there maybe 300 million people in the US, but only a few million actually vote.
is it really that big of a deal?
[ link to this | view in chronology ]
Re: may take a minute or two, but
I agree that hand counting may be the most accurate but in today's society of wanting everything fast and convinent not many people would be willing to give speed for accuracy.
[ link to this | view in chronology ]
Re: Re: may take a minute or two, but
[ link to this | view in chronology ]
Re: may take a minute or two, but
is it really that big of a deal?"
Only if you actually want people to participate in the democratic process.
I personally believe that Bush has proven all the US needs is a dictator that has direct communication with God. Strange how similar he is to the terrorists he hates so much.
Check out Hacking Democracy for some great clues on what is really going on with e-voting
http://www.youtube.com/watch?v=GzPXer7946E
I really can't believe that GEMS actually outputs election results into a read/writable excel file. Amazing the amount of stupidity, but then again this is what happens when we let the fascists privatize everything with no oversight (Deregulation, ohhhh yeah!).
[ link to this | view in chronology ]
Re: Re: may take a minute or two, but
so what. it takes a few days to tally the votes. its more accurate. isnt accuracy the backbone to voting? if u cant count them right why even vote? perhaps the reputation of these machines are causing alot of people to think twice about even casting their vote. seems potentially pointless.
then again anyone can find a way to do anything so i say screw voting and we have these people joust for office!
- just my opinion
[ link to this | view in chronology ]
Check the Mgt Plitical affiliations
[ link to this | view in chronology ]
Re: Check the Mgt Plitical affiliations
[ link to this | view in chronology ]
Even source code's not good enough
highly optimistic assumption #1) that it's published for open
peer review, and that, amazingly, it's found to be bug-free.
Not good enough.
Q1: How do we know that the compiled executable
was built from that source code?
Q2: How do we know that the compiled executable
was built correctly, and without build system-installed
back doors? (See "Reflections on Trusting Trust" by
Ken Thompson.)
Q3: How do we know that the executable is being
executed properly? That is, that the hardware hasn't
been modified or replaced in order to subvert the code?
Q4: How do we know that the counting systems "upstream"
from the voting machines are tallying correctly?
And so on.
The point being that not just the source code, but the
entire system (the voting machines, the tallying machines,
the communication networks connecting them, the processes
used to operate them, etc.) needs to be secure/accurate.
Moreover, it needs to withstand concerted, clueful, very
well-funded attacks (See "How to Steal an Election" at
Ars Technica as well as Bruce Schneier's analysis of the
likely level of funding available to attackers.)
I don't think that's possible at this time -- and it's certainly
not possible while vendors of such systems are content to
lie, lie, lie rather than candidly admit and promptly address
the issues.
Time for pencil and paper. Yes, it's onerous, and yes it
too can be subverted by sufficiently-clever attackers --
but it's much more robust. And I think preserving
confidence in the integrity of the voting process --
REAL confidence, not ersatz confidence based on the
statements of the well-paid professional spokesliars
working for voting machine vendors -- is worth the
supposed inconvenience.
I don't mind waiting 3-4 days for presidential election
results if that's what it takes to ensure that the correct
candidate is declared the winner.
[ link to this | view in chronology ]
Re: Re: Re: There's NO Confidence Left
What I REALLY don't understand, is why the government doesn't just do this in-house? They have a team of security experts already monitoring their networks no? Have them test it, if its political worries, have each political party select a 3rd party vendor to test it and check the source. As for the machine itself, it should be connected to a VPN connecting it to a central machine, monitored by a selected member of each political party. The voting machine would have to be under complete lock and key except for a touch screen for data-entry to complete the vote. The vote itself would be sent to the central machine and NOT stored on the voting machine.
[ link to this | view in chronology ]
trade secrets?
This has ALWAYS killed me about the election machine fools. What, exactly, is the trade secret they are trying to protect? This isn't rocket science, esentially just a 1+1+1+1+1+1+1=? problem.
I could understand if this was a highly sophisticated system, but it isn't. For instance, right now I am working on the design of a new 911 integration system that link to displays in patrol cars. This was a HIGHLY competitive contract, and those we beat would love to see how our stuff works. If California wants to look at our code, they'd have to sign all sorts of stuff.
But this is fundamental code and fundamental to our continued liberty. They are hiding something.
[ link to this | view in chronology ]
Re: trade secrets?
[ link to this | view in chronology ]
Re: trade secrets?
The problem is that the 'trade secrets' are that it's not a simple 1+1+1 = xx, it's more:
If candidate = foo then
count = count + 2
else select case (random 3)
Case 1
count = count + 1
Case 2
count = count
Case 3
count = count -1
End if
foo = the candidate that the voting company president guaranteed the results to (this would be GWB in the case of diebold). If it got out that they were manipulating the results, they they wouldn't be able to guarantee any locations, and their political kickbacks would dry up, so obviously they have a lot of 'trade secrets' to protect.
[ link to this | view in chronology ]
open = secure
Linux is secure PRECISELY because it is open. Anyone can audit the code for flaws, and plenty do.
[ link to this | view in chronology ]
The Source Code
10 REM *VOTE COUNTER*
15 PRINT "Please Select Candidate 1, 2 or 3:";
20 INPUT A
25 IF A=1 THEN TOTAL1=TOTAL1+1; GOTO 15
30 IF A=2 THEN TOTAL2=TOTAL2+1; GOTO 15
35 IF A=3 THEN TOTAL3=TOTAL3+1; GOTO 15
40 IF A=0 THEN GOTO 50
45 GOTO 15
50 PRINT "CANDIDATE 1 RECEIVED ";TOTAL1;" VOTES"
55 PRINT "CANDIDATE 2 RECEIVED ";TOTAL2;" VOTES"
60 PRINT "CANDIDATE 3 RECEIVED ";TOTAL3;" VOTES"
I think this program appeared in Antic Magazine some time in the 80s.
[ link to this | view in chronology ]