Should Source Code for Electronic Voting Machines Be Publicly Available?
Debra Bowen, JD, California Secretary of State, in an Apr. 2, 2008 conference call with the Courage Campaign (retrieved from the Open Voting Consortium under the title "Bowen Urges Los Angeles to go for Open Source Voting"), stated:
"Given that Los Angeles County has not spent its HAVA [Help America Vote Act of 2002] money (it went from punch card systems to an Inkavote system), is it not possible that Los Angeles County would be an excellent place to take the lead in the development of an open source voting system that is not based on proprietary software? I would certainly encourage that.
I think there are efforts going on in the open source community to bring a publicly owned open source system to the voters...
I believe that in the future the counties looking to change [their] voting system, and other states and jurisdictions, are certainly going to place very high values on giving their citizens the right to review the software that defines the ballot, counts the voters, and does all these other functions.
The more complex, the more important it is for people to have access to that... I am confident if we had an open source system, we'd have a lot less to be concerned about in terms of bugs, failings, and or deliberate attempts to pervert the election system."
RABA Technologies, at the request of the State of Maryland, prepared a Jan. 20, 2004 report titled "Trusted Agent Report: Diebold AccuVote-TS Voting System" which stated:
"Subjecting source code to open scrutiny will not only motivate programmers to write better code, but it will leverage the expertise of a much broader audience...
We strongly recommend that the SBE [State Board of Elections] require the vendors to provide independent source-code level security assessments for their products. Proprietary concerns should never be allowed to mask security through obscurity."
Verified Voting Foundation's Frequently Asked Questions section of their website (accessed June 6, 2008) included the following entry:
"DRE vendors claim that preserving the secrecy of their proprietary technology gives them an important hedge against being compromised. This argument is generally called 'security through obscurity' and has been disproven time and time again. Adversaries will always be able to get voting machines to tear apart and study...
Computer security researchers accept that, for a system to be secure, it must be designed to resist adversaries who know every detail about its inner workings. Furthermore, we have seen too many cases where a vendor claims its software is secure when it turns out to be full of holes.
Currently...the vendors have to escrow the source code of their systems with the Secretary of State's office [but] it doesn't seem to help at all. In fact, it's not clear that there are any circumstances where the code can be examined. In cases where clearly flawed elections have been challenged in some states, the vendors and courts have refused to let independent experts look at the source code."
The Commission on Federal Election Reform, also known as the Carter-Baker Commission, released a report titled Building Confidence in U.S. Elections 2005, which stated:
"The inside process of programming DREs should be open to scrutiny by candidates, their supporters, independent experts, and other interested citizens, so that problems can be detected, deterred, or corrected, and so that the public will have confidence in the machines...
Independent inspection of source codes would strengthen the security of voting systems software by encouraging manufacturers to improve voting security. Expert reviews may also detect software design flaws or vulnerabilities. This, in turn, could bolster public confidence in the reliability of DREs to accurately record and tally the vote in elections."
Michael Shamos, PhD, JD, Distinguished Career Professor of Computer Science at Carnegie Mellon University, wrote in his paper "Paper v. Electronic Voting Records - An Assessment," published in the Proceedings of the 14th ACM Conference on Computers, Freedom and Privacy 2004:
"The manufacturers of voting equipment claim that their software is a trade secret...[I] have been looking at the source codes of voting systems for over 20 years and have yet to find any significant differences in their design except possibly for the number of bugs they contain...
One might speculate then on why they try to keep the source code confidential. The uncharitable view, which appears to have some justification, is that they don't want the public to see how bad their code is. A legitimate reason might be to avoid making matters easy for competitors, but that does not justify withholding information from the public that is necessary to promote confidence in the electoral process...
There is no reason that the ballot setup, display, tabulation and reporting sections of the voting system code should be kept secret, and manufacturers would be wise to accede to public demand in this regard."
A Center for Correct, Usable, Reliable, Auditable and Transparent Elections (ACCURATE) submitted their "Public Comment on the 2005 Voluntary Voting System Guidelines" to the U.S. Election Assistance Commission on Sep. 30, 2005, which stated:
"Protecting vendors' intellectual property must be accomplished in ways other than by sacrificing election transparency. For example, experts can review...source code under protection of non-disclosure agreements. Copyrights and patents owned or licensed by vendors to protect their intellectual property would still be fully enforceable...
It is accepted principle among computer security professionals that 'security through obscurity' is nether secure nor obscure."
The Information Technology Association of America (ITAA), in a Mar. 23, 2006 letter written by John S. Groh, Sales Vice President at ES&S, and Michelle M. Shafer, Vice President of Communications at Sequoia Voting Systems and addressed to California Assemblymember Tom Umberg, wrote:
"Requirements for adoption of open source software or source code disclosure in public sector technology environments are uncommon and go against the grain of current procurement policy and practice... A blanket policy, such as a mandate for open source or disclosed source software... will essentially strip them [voting system vendors] of their core software assets, intellectual property that has taken years and millions of dollars to develop.
As companies move to protect such assets... registrars and citizens will have fewer voting systems choices. Most technology companies rely on a broad range of intellectual property protections, including trade secret, trademark, copyright and patent protection... There are several additional aspects of electronic voting systems and elections environments which may not be compatible with an open source, or disclose source, software model."
The Election Technology Council's Frequently Asked Questions document on their website (accessed June 6, 2008) stated:
"Open source software in an election context has benefits as well as problems. While the scrutiny of third parties may lead to the early identification and correction of vulnerabilities, it may also provide those intent on disrupting elections with a blueprint for understanding software design logic, knowledge of the business processes underlying elections, and the opportunity to introduce malicious code or apply 'social engineering' techniques perpetrate election fraud.
In any event, the source code is 'open' to the appropriate regulatory authorities at all times...The source code is held in escrow by various state and federal officials."
Harris Miller, President of the Information Technology Association of America, wrote an Apr. 15, 2005 letter to U.S. Representative John Conyers, Jr., which stated:
"Calling for 'open and accessible software code' is unnecessary, impractical and detrimental to the security of U.S. elections. DRE manufacturers already must submit their code for review to Independent Testing Authorities and state and local authorities...
Making code available to the public at large is not practical because it undermines the years of hard work and millions of dollars invested by companies in their proprietary software. Without that asset, the business model for the vendors who support American elections would be fatally corrupted.
Finally, and most seriously, making our members' [electronic voting machine manufacturers] code publicly available is an invitation to those who would use this access to better understand software designs and devise highly customized code attacks and exploits. In conjunction with well-publicized production and election schedules, the universal availability of DRE code would irresponsibly provide potential wrongdoers with ready access to important tools used to safeguard American democracy. "
Congressional Research Service's 2003 Report for Congress titled Election Reform and Electronic Voting Systems (DREs): Analysis of Security Issues, explained the viewpoint of those who favor voting system software being proprietary:
"Advocates of proprietary or 'closed source' code argue that this approach makes potential flaws more difficult to discover and therefore to exploit...
Currently, the code for virtually all voting system software in the United States is closely held by the vendors, who release it only to select parties, such as the ITAs [Independent Testing Authorities], under nondisclosure agreements. The vendors argue that the use of proprietary software is important both to protect their intellectual property rights and for security...[S]ecrecy can be an important security tool, sometimes called 'security through obscurity.'"
AVANTE International Technology's, a manufacturer of electronic voting machines, CEO Kevin Chung, PhD, described his company's position on making software code open to the public in his May 5, 2004 testimony before the U.S. Election Assistance Commission:
"Open sources can guarantee only one thing: That the source codes as revealed are 'OK' and free of potential threats. However, they are 'OK' only if they are not changed. As we have seen before, they are easily changed and quite often without notice by the vendors during the last election. While most states have criminal codes against such unauthorized changes the offenders are not prosecuted as we saw from the last election...
The usefulness of 'open source' for voting systems that are not under public control but rather under the control of a few individuals is not as obvious...Unless we have stringent procedural controls of election processes and diligent prosecution of offenders, we may be faced with more tampering of the voting systems if the source codes are open."