E-Voting Company Agrees To Let California See Its Source Code… But Includes Angry Threats
from the how-nice-of-them dept
In the ongoing effort to make sure that electronic voting machines used in public elections actually have some sort of real scrutiny, we’ve never had anyone convincingly explain why the source code for these voting machines shouldn’t be made public. You may recall that a while back, in a post about some of the limitations being put on security experts trying to examine some of the machines, a representative from the firm Election Systems & Software Inc. (ES&S) showed up in our comments and responded to our questions not with any good reasons, but with insults to everyone here saying we couldn’t possibly understand. When asked, point blank, about why he wouldn’t let experts like Ed Felten and Avi Rubin test the machines, he responded by claiming that such experts are misleading in their reports and are publishing things solely for a profit motive (which is pretty laughable, if you’ve ever read either’s writings and analysis — which come across as exceptionally even-handed on these issues). The same guy also claimed that the e-voting companies have always willingly handed over source code to gov’t agencies. Specifically he stated: “The companies have always complied with legitimate requests to test and inspect the software. They handed over their source code for review on multiple occasions and have never denied the request of any U.S. government authority to review the code or test the equipment.” Of course, he didn’t say they did so happily. When California came asking for the source code, ES&S certainly wasn’t happy about it.
You may recall that back in March, California’s Secretary of State decided that anyone providing e-voting machines in California had to withstand independent testing from a group of security experts. This seems perfectly reasonable, and it’s hard to come up with any reason not to do this… unless you’re a company like ES&S whose machines have been caught counting votes in triplicate, among other things. Despite the claim that they “never denied the request of any U.S. government authority,” ES&S certainly resisted the requests and only handed in the code three months late, along with an angry, petulant, threatening letter to the Secretary of State warning her that the company will hold the Secretary of State personally responsible “for any prohibited disclosure or use of ES&S’ trade secrets and related confidential and proprietary information.” Frankly, this should be reason enough to ban the company from having its e-voting machines used in elections. If the company is so worried about having its machines tested by security experts, then it shouldn’t be in the business. Furthermore, for a free and fair election, there’s simply no reason that the company shouldn’t be required to make the core of its system freely available so that the voters of this country can actually trust that their votes are being accurately counted. It’s not a crazy request. It’s about protecting our fundamental right to vote. Apparently, ES&S doesn’t respect that enough to prove to anyone that it can actually build a safe and secure machine that counts votes accurately.
Comments on “E-Voting Company Agrees To Let California See Its Source Code… But Includes Angry Threats”
Yeah! What He Said!
Actually, no.
I’m a representative of ES&S, and I think you’re wrong on this. I could give you a whole list of reasons why, but it’s a little complicated and I don’t think you could understand.
PS This comment is strictly confidential and if any of it leaks out onto the Internets, I plan to hold you personally responible.
Re: Yeah! What He Said!
ummm….it’s too early for my sarcasm detector to be fully operational, but i sincerely hope pitchfork lady’s just yankin the collective chain.
if not, i guarantee there are a giant list of reasons why source code from voting machines should be open and transparent.
anyone have a good link to where those are documented? i don’t feel like typing that much here.
thanks,
and if i’m off, slap me in the back of the head.
Re: Yeah! What He Said!
Hey, you get my check?? I really need to win. =)
The only thing..........
the only thing that i dont understand is why we are using those machines.
well that and proper grammar and punctuation .
ES&S
I do not represent ES&S, but i have done election day machine support for them. (It’s a three day gig around election day and some training before hand. It’s kinda fun actually)
My question about some of this is what machines? Some of their models are nothing more than a touch screen attached to an inkjet printer to fill in the circles on the paper ballot. Others do keep a running tally. Others are counters of the paper ballots. And still others count the votes of various forms of storage media. All of counters either physically or electronically (most places simply carry the media by hand) link to a central system in the jurisdiction where the vote is tallied.
This is where human intervention comes in. It is at this point that a person can the wrong thing in the software and triplicate, quadruple, or even erase votes. My concern before you start blasting ES&S or anyone else for their machines, is to make sure that it is the machine, and not the human controlling it.
None of your articles have ever mentioned the machines involved, never once have said where in the process the problem happened.
What’s the matter tech dirt, do you think that it’s too complicated for us to understand.
Re: ES&S
I believe the real problem lies in the fact that the machines ALLOW someone to duplicate, triplicate or even erase votes….
Re: ES&S
My concern before you start blasting ES&S or anyone else for their machines, is to make sure that it is the machine, and not the human controlling it.
Thats the thing. In an old fashioned paper election if something seemed foul first thing to do is recount. If things still seem off and foul play is believed to be the reason the first suspects are the people handling the machines. The difference between paper and electronic is that there is no need for examining how a wood box with an opening on top was made. Yes a human may have made it but in order to rigged an old wooden ballet box you pretty much have to switch out the boxes altogether.
With the coming of electronic ballet boxes the chain of accountability has to be reviewed. Because you now have people writing programs to do the things you just mentioned. In order to tally votes the machine must be able to tell candidate A from candidate B. What’s to stop a programmer from adding a little extra piece of code that tells it give a +2 instead of +1 on a certain candidate?
So basically I’m saying that accountabilty must be checked from ALL angles (from the programmer to courier that drops off and picks up the machines). Acting as if the code of a machine that is supposed the voice of the voting public is above reproach is just plain arrogant.
Re: ES&S
The machines involved is irrelevant to the argument and bringing it up is possibly just a diversionary tactic. But it’s easily addressed. Voters should be confident that ANY the models operate properly, and the simplest way to accomplish that is to allow transparent, independent, third-party testing and certification. Of all makes and models.
Regarding human intervention, if the manufacturer of the electronic system has satisfied the voters that it’s equipment is solid, then we can examine the human factor confident that the fault doesn’t lie in the machine. The machine which, by the way, was also designed, programmed, and built by the same fallible humans you are so quick to blame.
Re: ES&S
This is where human intervention comes in. It is at this point that a person can the wrong thing in the software and triplicate, quadruple, or even erase votes. My concern before you start blasting ES&S or anyone else for their machines, is to make sure that it is the machine, and not the human controlling it.
If you’re building a voting machines whose sole purpose is to accurately and securely count votes without letting anyone vote twice, you should make damn sure that “human error” isn’t possible for something like multiple counting of votes.
Electronic voting should be flushed down the virtual toilet.
Doesn’t matter if it’s secure or not – there’s no public confidence in it, in any event. These companies putting it together have been far too shady.
Hell, the source code should be made available to the public – period.
After all, it’s the physical unit that needs secured. It’s like a bank – it’s one thing to know the design of the vault, it’s quite another to actually crack it.
Counting votes in triplicate… what kind of idiot programmers do they have anyway? Is it really that hard to tally votes to a database??? Come on!!
How hard could it be?
With the complexity, elegance, and stability of modern software how hard could it be to have a reliable, accurate program that does one simple thing…….add. Proprietary source code of an adding machine? Give me a frickin break. It’s taken too long, with too many “problems” to get voting machines up and running. It could not possibly be that difficult. O, I forgot. The gullible tax payers are paying for it and incompetent beurocrats are managing the process. Not too hard to tally up American Idol votes now is it? The truth is the politicians don’t really want this. Why? Because of where it’s leading. They fear the obvious. According to our Constitution the people rule. Our elected “officials” are representatives of the will of the people. What happens when through the Internet, the people start “voting” on every issue? And the “representatives” have no choice but to also vote according to the clear will and intent of the voting, tax paying Americans they are supposed to represent, must represent? Why the whole corrupt system of bribes, graft and “special interests” comes crumbling down. That folks, is why we’ve been having so many problems with electronic voting machines. They represent the future where the American people rule and not corporations and wealthy people that up-til now clearly control both political parties and almost every law that comes into existence. We no longer live in the dark ages. Technology is passing up the corrupt bureaucrats faster than they can make laws to control it. They are afraid, very afraid.
Scratch ESS
ESS apparently missed the deadline to turn over their source code. To my way of thinking, they missed the deadline, they are out of the running. They were petulant about turning over the source code. One more reason they are out of the running. I don’t see the quote in their letter really being threatening. They were just stating that they had trade secrets that must be kept confidential. MS, Apple, etc. all do that. I guess it’s just that coupled with their attitude and failure to comply that the “threat” seems more of a threat. However, overall, if they really don’t want to play nice with us, then we don’t need ’em.
The title of this thread is blatantly misleading and Tech Dirt should be ashamed for posting such dribble.
From the links provided and the info available, this was not a threatening letter. It was purely the author stating that it had concerns over the examiners chosen and the examiners and the state would be held responsible for leaking any proprietary trade secrets. This is typical in ANY Non Disclosure Agreement and common within any industry. Every company has the right to protect their trade secrets, including ESS.
Now, I fully agree with the state being able to review the machines and the source code and independent experts should be part of the process. However, they also have an obligation to protect all proprietary code/technology provided for their review and should be held responsible if they leak trade secrets. This should not be viewed as an “Angry Threat”.
As to the delay in providing the code, if they did not meet the states deadlines, then frankly they should be disqualified from the running. The state has the right to provide a reasonable timeline to make things available and if ESS wants to compete for the business, then they have an obligation to meet those deadlines. If they don’t, then the State should just remove them from the running.
Unless there was other info not posted that constitutes this threat, then you really should stick to the facts instead of using emotionally charged words like “Angry Threat” to try and draw readers in.
Very disapointing journalism in this case.
There's NO Confidence Left
It’s hard to imagine that after the issues in Texas and other spots around the country the various manufacturers are not jostling to be FIRST in line to have their machines and software rigorously tested.
I’m sensitive to the question of company confidential information and I’m as concerned as the next guy that having source code available ‘might’ allow someone to exploit some part of the system to their own gains, and then I remember Linux. All of the source code is available for anyone to download, compile and play with. Has that caused Linux to become the number one exploited operating system? Nope, that honor remains with our friends in Redmond.
Here’s the deal. I’m signed up for absentee ballots because I don’t want to walk into my precinct, find a machine and have it be too late to cast my vote after refusing to use the machine. And I would refuse to use the machine.
ES&S should understand that the public has lost faith in the system and won’t use if there is another alternative. If putting their code or their machines out there for public testing can help them regain the faith and part of the market share then they are stupid not to do it. Right?
Or is STUPID apropos?
Re: There's NO Confidence Left
Lot’s of reasonable and good comments.
However, I disagree with your comment about Linux. Linux is a niche product with an extremely small market share. Just like terrorists, if you want to inflict the most damage, you go after the crowded marketplace, not the lone bystander on the corner. In this case, the larger market share happens to be owned by MS and therefore, the more apealing target. It is not that Linux or Apple are inherrently better or more secure systems, it that they are niche players and therefore, not as interesting to hackers.
Re: Re: There's NO Confidence Left
However, I disagree with your comment about Linux. Linux is a niche product with an extremely small market share. Just like terrorists, if you want to inflict the most damage, you go after the crowded marketplace, not the lone bystander on the corner. In this case, the larger market share happens to be owned by MS and therefore, the more apealing target. It is not that Linux or Apple are inherrently better or more secure systems, it that they are niche players and therefore, not as interesting to hackers.
This is simply false. Linux doesn’t have an “extremely small market share.” It depends on what you consider your market, but if you’re looking at web servers, it has a very large market share.
But, more to the point, it’s a HUGE target, in part because of the ability for anyone who successfully hacks it to gain lots of attention for hacking such a “secure” system. So to claim that hackers are ignoring it is wrong.
Re: Re: Re: There's NO Confidence Left
That is my point exactly. Burn the source code to firmware WITHOUT an incoming port or portal. Any tampering would have to be done before hand and would be easily detectible and traceable.
Re: Re: Re: There's NO Confidence Left
I am not trying to turn this into a Linux vs. MS debate. I felt there are other reasons why Linux was not a clear example. I was trying to point out that just because Linux is an open architecture that does not mean it is secure and therefore, your argument does not necessarily apply to the topic at hand of releasing source code to the public.
Voting Machines
Why would any government agency buy any voting machines without having prior approval on the source code? Why would the source code be in the form of software and not burned into firmware thus removing the possibility of someone introducing a software patch to steal an election? Why would a company be so concerned about their source code unless they have something to hide? After all, the source code is worthless to a possible competitor without a voting machine to run it on, and any company able to construct a competing voting machine can certainly develop their own software. Sounds very suspicious on the part of the company (ES&S) to me.
Re: Voting Machines
No, the source code is not worthless to a competitor. If you can see how your competition does things, you can replicate it in your own products and remove a possible advantage that a competitor has.
Re: Re: Voting Machines
How is having the source code going to change the fact that you are counting yes/no votes and going to help a competitor? What can possibly be so difficult with that? That is probably a big part of the problem. These companies have gotten away from the basic objective of “counting votes” and have complicated the issue way beyond what is reasonable. I still say, it’s very simple. Count ones and zeros, or yes and no votes, total them and provide a means to get the totals for that machine to a central location for tallying. The source code should be burnt into firmware without the possibility of introducing a software patch.
Re: Re: Re: Voting Machines
You are significantly trivializing the issue. Counting the votes is a very simplistic way of looking at this issue.
I don’t have any experience with these machines to know what all is involved, but I have been involved in other s/w projects that were essentially DB applications and that provided reasonably simple functions such as counting. However, these applications were much more than a simple adding machine. Releasing the source code to the public would have put these vendors out of business. I am sure that is what ESS is concerned about. The amount of market data gathered by these machines would be exceptionally valuable. They could easily determine voting tendancies of specific districts. They could determine how long a person took to vote on a topic or candidate. They could use data to determine effectiveness of campaign efforts.
Release source code would expose all their functions/features that competitors could copy. This would put them at a competitive disadvantage. Therefore, yes, they have the right to protect their IP. Mandating that a private company release their IP is completely wrong and goes against a free market society.
Now, again, I believe that because they are providing a service to a population via Govt. Contracts, the Govt. has the right and obligation to the public to ensure that these machines operate correctly and with accuracy. Having independent experts review the code and ensure the correct operation is completely within the Govt. right to do so. However, I believe the Govt. also has the responsiblity to ensure that the IP is completely secure and not open to the public. If the code does get out and is traced back to the experts, then the govt. should be held accountable.
Furthermore, opening the code to the public only adds risk that the system security.
Burning the code to a prom and locking it down is good, but from a support perspective is inefficient. This limits the ability to update code as improvements are made. This would consume more resources and drive up costs. This would be a bad business model.
Re: Re: Re:2 Voting Machines
“The amount of market data gathered by these machines would be exceptionally valuable. They could easily determine voting tendancies of specific districts. They could determine how long a person took to vote on a topic or candidate. They could use data to determine effectiveness of campaign efforts.”
You are over-complicating this. We DO NOT want the voting machines to do a “market analysis”, just count the votes.
As far as “updates”, how many updates could there possibly be when counting ones and zeros? New math, perhaps!!
Burning the program to a ROM and having it verified for accuracy and validity before insertion into the machine, lock down the machine with a good locking mechanism, an alarm system and a battery backup that allows legitimate voting, even without power.
Re: Re: Re:2 Voting Machines
“market data gathered by these machines would be exceptionally valuable. They could easily determine voting tendancies of specific districts. They could determine how long a person took to vote on a topic or candidate. They could use data to determine effectiveness of campaign efforts.”
Already freely available! Voter registration, and how often you vote are available for 2.5 cents per name at voterlistsonline.com
If you want to harvest WHOM I voted for, then I suggest you have a good lawyer. Voting Rights section of Civil Rights Bill (among many many others) if I remember correctly.
“Furthermore, opening the code to the public only adds risk that the system security.”
Again, a fundamental misconception. Security through obscurity is dangerous. Ever hear of peer review? Science mags do it. Imagine a scientist claiming he achieved cold-fusion but couldn’t say how because of the security risk to his idea. Wait, that happens and those guys get laughed at…
“Releasing the source code to the public would have put these vendors out of business”
How??? These ppl shouldn’t be selling the SOFTWARE! The value they bring is in their HARDWARE: nice touchscreens with a tape-roll. Competition should depend on ease-of-use, reliability, ergonomics, life-span, etc. Again, how many different ways can you count 1+1+1+1? Maybe the interfacing with components might be proprietary but if this ia vased on GNU Linux in the first place they ARE BREAKING THE LAW by not sharing the derivative code.
Of all the arguments for free software, the code THAT COUNTS OUR VOTES should be free and open to ANYONE to inspect. You want to sell the State a fancy box that runs the code, go for it!
Source Code
Giving out your custom source code is the equivalent to having unprotected sex in an African brothel. There is a reason that software companies obfuscate their source code in that besides becoming hackable, it allows anyone to copy their work.
Besides, IF the source code were available, it would make it that much easier for the Republicans to rig an election, or have we forgotten GW’s illegal occupancy of the White House?
Re: Source Code
Good God, give it a rest!! This is about source code, not your political fasist views!!!
Re: Re: Source Code
Silly SPR, on the Internet everything is about politics, religion, or both.
Re: Source Code
“Besides, IF the source code were available, it would make it that much easier for the Republicans to rig an election, or have we forgotten GW’s illegal occupancy of the White House?”
I’ll forget it around the same time that I forget that John F Kennedy had the election rigged to have dead people vote for him. Both sides have corruption, give it a rest. This is about the source code on adding machines. It MUST be available.
What use is source code ?
Even if the company were to give you every version of the source code it has, you still have no way of knowing that it corresponds to what’s actually running in the machine.
You could maybe come up with a system where you build it yourself (although you’d have to trust the tools you use to do so) and then re-program the machine with the result (but not through a bootloader, because you can’t trust it – you’d have to use something like a JTAG probe).
You might just about get all the machines done in four years, I guess 🙂
may take a minute or two, but
why dont we just do what we’ve always done……..count the damn things by hand. if its screwed up then you know who’s to blame.
there maybe 300 million people in the US, but only a few million actually vote.
is it really that big of a deal?
Re: may take a minute or two, but
People (especially news outlets that promise the “latest coverage”) are already impatient enough that takes until well after night fall to get the results.
I agree that hand counting may be the most accurate but in today’s society of wanting everything fast and convinent not many people would be willing to give speed for accuracy.
Re: Re: may take a minute or two, but
i do agree with you, but considering the potential consequences of being inaccurate maybe someone should suggest to these people to take a damn chill pill.
Re: may take a minute or two, but
“there maybe 300 million people in the US, but only a few million actually vote.
is it really that big of a deal?”
Only if you actually want people to participate in the democratic process.
I personally believe that Bush has proven all the US needs is a dictator that has direct communication with God. Strange how similar he is to the terrorists he hates so much.
Check out Hacking Democracy for some great clues on what is really going on with e-voting
http://www.youtube.com/watch?v=GzPXer7946E
I really can’t believe that GEMS actually outputs election results into a read/writable excel file. Amazing the amount of stupidity, but then again this is what happens when we let the fascists privatize everything with no oversight (Deregulation, ohhhh yeah!).
Re: Re: may take a minute or two, but
i doubt e-voting machines are going to revolutionize our democratic process.
so what. it takes a few days to tally the votes. its more accurate. isnt accuracy the backbone to voting? if u cant count them right why even vote? perhaps the reputation of these machines are causing alot of people to think twice about even casting their vote. seems potentially pointless.
then again anyone can find a way to do anything so i say screw voting and we have these people joust for office!
– just my opinion
Check the Mgt Plitical affiliations
My guess is these are a bucnh of libs that think they can get away with 2006 again in 2008. Does ANYONE REALLY believe the Democrats won anything? I don’t. It’s either the machines or the illegal aliens voting that PUT the democrats in power. We now see how well that is working out eh….
Re: Check the Mgt Plitical affiliations
The Republicans do what they can to steal elections, but they are mere amateurs that are competing with pros that have been registering and voting cemeteries for years.
Even source code's not good enough
Suppose the source code’s disclosed. Suppose (and this is
highly optimistic assumption #1) that it’s published for open
peer review, and that, amazingly, it’s found to be bug-free.
Not good enough.
Q1: How do we know that the compiled executable
was built from that source code?
Q2: How do we know that the compiled executable
was built correctly, and without build system-installed
back doors? (See “Reflections on Trusting Trust” by
Ken Thompson.)
Q3: How do we know that the executable is being
executed properly? That is, that the hardware hasn’t
been modified or replaced in order to subvert the code?
Q4: How do we know that the counting systems “upstream”
from the voting machines are tallying correctly?
And so on.
The point being that not just the source code, but the
entire system (the voting machines, the tallying machines,
the communication networks connecting them, the processes
used to operate them, etc.) needs to be secure/accurate.
Moreover, it needs to withstand concerted, clueful, very
well-funded attacks (See “How to Steal an Election” at
Ars Technica as well as Bruce Schneier’s analysis of the
likely level of funding available to attackers.)
I don’t think that’s possible at this time — and it’s certainly
not possible while vendors of such systems are content to
lie, lie, lie rather than candidly admit and promptly address
the issues.
Time for pencil and paper. Yes, it’s onerous, and yes it
too can be subverted by sufficiently-clever attackers —
but it’s much more robust. And I think preserving
confidence in the integrity of the voting process —
REAL confidence, not ersatz confidence based on the
statements of the well-paid professional spokesliars
working for voting machine vendors — is worth the
supposed inconvenience.
I don’t mind waiting 3-4 days for presidential election
results if that’s what it takes to ensure that the correct
candidate is declared the winner.
There's NO Confidence Left
It takes roughly 10 seconds to detach a chip, reattach it to another board, flash the firmware, and reattach to initial board. The only REAL way to secure a machine is to remove it from the public place and lock it away in a vault with no key. Not exactly ideal, especially in this case.
What I REALLY don’t understand, is why the government doesn’t just do this in-house? They have a team of security experts already monitoring their networks no? Have them test it, if its political worries, have each political party select a 3rd party vendor to test it and check the source. As for the machine itself, it should be connected to a VPN connecting it to a central machine, monitored by a selected member of each political party. The voting machine would have to be under complete lock and key except for a touch screen for data-entry to complete the vote. The vote itself would be sent to the central machine and NOT stored on the voting machine.
trade secrets?
“for any prohibited disclosure or use of ES&S’ trade secrets and related confidential and proprietary information.”
This has ALWAYS killed me about the election machine fools. What, exactly, is the trade secret they are trying to protect? This isn’t rocket science, esentially just a 1+1+1+1+1+1+1=? problem.
I could understand if this was a highly sophisticated system, but it isn’t. For instance, right now I am working on the design of a new 911 integration system that link to displays in patrol cars. This was a HIGHLY competitive contract, and those we beat would love to see how our stuff works. If California wants to look at our code, they’d have to sign all sorts of stuff.
But this is fundamental code and fundamental to our continued liberty. They are hiding something.
Re: trade secrets?
I agree with you. It is counting ones and zeros. It is not rocket science. They are hiding something.
Re: trade secrets?
What, exactly, is the trade secret they are trying to protect? This isn’t rocket science, esentially just a 1+1+1+1+1+1+1=? problem.
The problem is that the ‘trade secrets’ are that it’s not a simple 1+1+1 = xx, it’s more:
If candidate = foo then
count = count + 2
else select case (random 3)
Case 1
count = count + 1
Case 2
count = count
Case 3
count = count -1
End if
foo = the candidate that the voting company president guaranteed the results to (this would be GWB in the case of diebold). If it got out that they were manipulating the results, they they wouldn’t be able to guarantee any locations, and their political kickbacks would dry up, so obviously they have a lot of ‘trade secrets’ to protect.
open = secure
“to point out that just because Linux is an open architecture that does not mean it is secure”
Linux is secure PRECISELY because it is open. Anyone can audit the code for flaws, and plenty do.
The Source Code
Hey guys, I have the voting machine source code right here. It was written in Atari BASIC:
10 REM *VOTE COUNTER*
15 PRINT “Please Select Candidate 1, 2 or 3:”;
20 INPUT A
25 IF A=1 THEN TOTAL1=TOTAL1+1; GOTO 15
30 IF A=2 THEN TOTAL2=TOTAL2+1; GOTO 15
35 IF A=3 THEN TOTAL3=TOTAL3+1; GOTO 15
40 IF A=0 THEN GOTO 50
45 GOTO 15
50 PRINT “CANDIDATE 1 RECEIVED “;TOTAL1;” VOTES”
55 PRINT “CANDIDATE 2 RECEIVED “;TOTAL2;” VOTES”
60 PRINT “CANDIDATE 3 RECEIVED “;TOTAL3;” VOTES”
I think this program appeared in Antic Magazine some time in the 80s.