[colmmacc]

Visibility of the source code is a side-show in electronic voting systems. Even if the source code is published, there is no way to be sure that that is the code that is running on the hardware, or to be certain that the hardware itself has not been tampered with. Votes need to be printed out on paper, verified by the voter, and counted by hand.

Still, when we had the source code for the Irish system (now abandoned due to our efforts) analyzed by a commission, it was found it had actual counting errors.

http://www.stdlib.net/~colmmacc/www.cev.ie/htm/report/part4_...

Amazing!

[retroencabulato]

Australian elections ARE pen and paper.

The ballots are entered (by hand AFAIK) into the AEC's central system to compute the complex preference flows. Realistically, the algorithm isn't that complicated, and the ABC does a good job at guestimating it [1]. This is why it is so surprising they refuse to release it, even after the Senate passed a motion demanding its release [2].

[1] http://www.abc.net.au/news/federal-election-2013/results/sen...

[2] http://www.computerworld.com.au/article/550114/electoral_com...

[vacri]

At Ruxcon last year there was a very interesting talk by an electoral systems researcher (I can't recall her name). She went through a number of electronic voting systems, and they all suck. Some more than others. The only case where she found a system that was close to acceptable was in a crypto organisation where everyone was highly technically fluent in the system. Certainly not transferable to the general public. She also noted that computerised systems tend to favour right-wing policies even if the algorithm is fair - people who vote for leftist policies are over-represented amongst migrants, people with disabilities, and other non-mainstream demographics.

She did have the opinion though that there was as place for electronic machines in the voting booth, and it was this: register your vote on a machine. It prints out a slip with clear, unambiguous markings against your selected candidate(s). Verify that it has the content you want, then go lodge the slip like any other paper ballot. You now have a clearer, less ambiguous version of the paper ballot, which is more accessible to people with certain kinds of disabilities to boot.

Most of the times that a paper ballot recount differs is not because of inept counters, but because some voters leave ambiguous marks. She said that in Australia, it has about the best system possible (edit: probably 'in current use') in terms of verifying the count: an AEC official does the counting, and the major parties volunteer scrutineers to challenge ambiguous voting slips. As there are mutually opposing witnesses, you get a fairly robust count - the differences come when one set of scrutineers allows one ambiguous mark, but on a recount that same ambiguous mark gets treated differently by another set of scrutineers.

The important thing is the pile of paper though - the evidence that people voted a certain way. In effect, as soon as you don't have the physical evidence, you're at the mercy of "trust us, it's accurate". How do you scrutinise that?

[gibb0n]

It was Vanessa Teague from Melbourne Uni

http://people.eng.unimelb.edu.au/vjteague/

[toyg]

>in Australia, it has about the best system possible [...] in terms of verifying the count: an AEC official does the counting, and the major parties volunteer scrutineers to challenge ambiguous voting slips

That's actually how it works in Italy as well: each poll station has an official "commission" and party-nominated "observers" who can challenge slip by slip. It's probably the fairest system one can devise, although it relies on political activism (a party without enough volunteers to cover all poll stations will likely miss out votes here and there, although this might be irrelevant depending on how winners are determined).

[wavegeek]

Correct. I have done scrutineering in Australian elections. It is fun as you get the local results before anyone else. Also you see the comments people write on the papers

Eg Youse bastards r al liers!

[zmmmmm]

It's not a side show at all, it's the most important thing. By showing us the code the AEC is making the implicit commitment that this is the code running on their systems. Until they show us some code they are not even making that commitment at all - they could be running anything, they could change it every day to match their whims.

My own suspicion is that they DO know of numerous problems either current or past and quite likely these will cast enough doubt on some particular past results that it would bring about a constitutional crisis.

[colmmacc]

I don't mean any offense - but your position is not self-consistent. "Showing us the code" does not invalidate "could change it every day to match their whims".

For example the entire source code to Linux is public, but looking from the outside, you as an observer have no way to know that a particular copy of the Linux code is what is running on my laptop.

Which is why I say it's a side-show. If the source code is shabby, getting it might help a little in the short-term; it makes the whole process less reputable. But code can be rewritten. It distracts from the real need; independent verification of the process itself.

[gipp]

The point, though, is that releasing the source code under the pretense that it is the running code can create a legal obligation that what's released is what's run. No, it doesn't prevent them from running something else, but it at least creates the possibility of audits and consequences if they do so.

[esquivalience]

They already have a legal obligation to count appropriately. The publicity of the source code is irrelevant to that.

[zmmmmm]

Thanks - this is exactly my point.

[efaref]

But do you even trust the compiler they use?

Computers you don't totally control are inherently untrustworthy: http://cm.bell-labs.com/who/ken/trust.html

For most things it doesn't matter enough, but for deciding who gets to run the country, I think we need a higher standard.

[bmm6o]

I know everyone likes to cite that paper whenever they can, but it's not really relevant here. In this hypothetical, they give you the source but they compile it to binary. They do not provide you with the compiler or its source. The compiler can be malicious, but there's no need to hide its maliciousness - they don't even prove that the software running is in any way derived from the source they've given you! It would be a giant leap forward to have to design against KT-level shenanigans. The whole process can currently be subverted with CS 101-level jiggery pokery.

[SixSigma]

So why not also demand the object code. Then you can mistrust the hardware instead.

[smtddr]

I actually see where both you and the person you're debating with are coming from. Yeah, it's kinda a side-show because they can publish anything they want and you or I can't verify that's truly what is running. But it's a side-show that can turn into the main-show if the government really screws it up or a whistle-blower appears on the scene. From that angle, I say making them publish the code & promise the public that's the real code in production will then at least add one more avenue for any government-scandals to be "accidentally" revealed.

Basically, the more often you can force someone to tell a lie the more likely they screw up somewhere and it all falls apart.

[jfoster]

If they could be legally compelled to release it once, perhaps there is some way of legally compelling them to always have the most recent version published.

[retroencabulato]

Or, as they said, the software has commercial value:

http://www.aec.gov.au/about_aec/AEC_Services/Fee_for_service...

[__P]

Well if we all disagreed in closed source voting systems. Then it would have 0 value...

[e12e]

Lets put it to a vote. Along with the proposal to renew the contract... we'll just have to do it after the upcoming scheduled maintenance on the voting system...

Maybe there should be a provision that votes concerning the voting system uses the most conservative and/or transparent means of voting available (such as counting a show of hands, or paper slips...)?

Either way this is silly. Yes, it is hard to trust the entire system, without doing a system audit. Fundamentally, when you put your voting logic into a few opaque plastic boxes who's only interface is a green and red button, it's pretty hard to know that the system hasn't been tampered with, is secure, does what it is supposed to do, does what it did yesterday today as well... but surely opening up the source is a great start?

I'd propose a simple system based on Forth and micro-controllers, that would allow for (reasonable) analysis of the binary machine code -- perhaps with random sampling and destructive reverse-engineering testing of all of the component parts every now and then.

Then we could worry about whether the people doing the auditing were on the take or not...

Actually, how about this: for stuff like this which is presumably public voting anyway, use two flags and a high-resolution camera, coupled with face detection and signal processing to determine the vote -- along with archiving the photo with a time-stamp (and vote number/identifier) for easy (manual) auditing. Audit a random sample (with representatives from all parties doing the auditing) every now and then?

Might not even have to use facial recognition -- just have every (voting) member wear a qr-code button on their shirt...

(Then you could worry about a system that did real-time altering of the recorded image, as have been demonstrated a year back (for:eg: dynamically replacing ad boards in live sports events...)). I do believe there's distrust all the way down. Maybe we should just leave the decisions to a dictator.

[mlandauer]

The Australian software is not used for recording votes. It's used to assist the counting of physical ballot papers because the Senate vote counting system is extremely complicated. In this environment it's more straightforward to ensure the integrity of the software (as long as it's open and verifiable of course)

[colmmacc]

In that case a simpler fix would be to allow any independent party (within reason) to supply and use their own software and render their own tally.

If the parties are mutually distrusting, and their tallies still agree, that can be enough to trust the outcome. Auditing the source code has no real utility; it's worthless because you can't be sure that the code you've audited is the code actually running. "Open and verifiable" means nothing in that context.

[mlandauer]

I would prefer if the input to the software was published and anyone could verify the outcome. Unfortunately, currently none of this information is published and the whole system is based on trust.

[colmmacc]

Let's say that the software is published, and the code is audited and it looks ok - it seems to implement all of the intricacies of the transfer system and so on correctly. Then what? What if the operator forgets to use the latest version? or puts a different piece of software entirely on the counting system?

Having audited the source code really doesn't help; it won't remove the need to perform independent verification.

Similarly, merely publishing the input won't help much either; how do you verify that the published input corresponds to the actual votes? It won't remove the need for independent parties to observe the raw input (paper votes) and to make their own tallies; in which case those parties can publish their own copies.

Asking for the input to be published and the source to be published is just scraping the surface and won't add meaningful security. You need independent observation by mutually distrusting parties.

[nl]

You keep saying this like people don't understand your point.

Personally I understand your point, but I think auditing the code is a good and important first step.

Technically it's worth noting that a code audit is required in any "perfect solution", so it isn't wasted effort.

Politically it is important to establish the principle that the AEC should be required to respond to reasonable requests to verify how the process is implemented.

Similarly, merely publishing the input won't help much either; how do you verify that the published input corresponds to the actual votes? It won't remove the need for independent parties to observe the raw input (paper votes) and to make their own tallies; in which case those parties can publish their own copies.

Note that in Australia vote counting itself is manual and is already observed by multiple hostile parties. No one is proposing removing that.

Let's say that the software is published, and the code is audited and it looks ok - it seems to implement all of the intricacies of the transfer system and so on correctly. Then what? What if the operator forgets to use the latest version? or puts a different piece of software entirely on the counting system?

Since we already have access to the raw counts the audited code can be run by anyone to verify it outputs the same output as the AEC claims.

[femto]

The AEC does publish the totals for each candidate, at each stage of the Senate count [1]. There is a PDF for each state, under the heading "Distribution of Preferences". An example for NSW is at [2] Are these numbers sufficient input, to duplicate and verify the results of the AEC software?

[1] http://results.aec.gov.au/17496/Website/SenateResultsMenu-17...

[2] http://results.aec.gov.au/17496/Website/External/SenateState...

[sgryphon]

Not really the same as the raw input, because while most people vote above the line, there will be a small number who vote below the line, and the incremental count doesn't show if these were allocated correctly.

The best you could do is compare the expected flow each step, based on group voting ticket, against the actual flow, and make sure the total difference does not exceed the number of below the line votes.

[dwd]

Do they publish how many people vote below the line?

Edit: Antony green has an estimate used in his calculator. "At Federal election, around 95% of mainland voters, and 80% of Tasmanian voters, fill in their ballot paper using the group ticket ('above the line') voting option."

http://www.abc.net.au/elections/federal/2007/calculator/sena...

[will_hughes]

As I understand it - yes normally these numbers are sufficient to verify outcomes.

However in extremely close races, such as what happened in WA - it can come down to very small numbers of individual ballots and how their preferences are stated, as to what order senators are elected in.

This then affects the re-flow of preferences.

[walshemj]

the simpler fix would be have a simpler voting system that can be done by hand.

[Maxious]

The Australian counting system is VB6 on embedded MSSQL upgraded from a COBOL implementation.

"Two AEC data entry operators enter the same ballot data into the system separately, so their counts can be compared to verify that data entry discrepancies are not allowed to influence the final outcome." http://www.itnews.com.au/News/360504,the-tech-behind-was-sen...

[aianus]

> counted by hand.

By whom? Overseen by whom? Who oversees the overseers? Not to mention people make mistakes, ballots get dumped, and nobody has any evidence their vote was actually counted.

Here's a long but fascinating tech talk on a real solution:

https://www.youtube.com/watch?v=ZDnShu5V99s

[colmmacc]

I can talk about Ireland, as I've been an election observer there. The way we do it is that ballot boxes are locked and sealed with tamper-evident seals after a polling station has closed. Elections observers; including representatives from the political parties may request to add their own seals. In some particularly contentious districts this is done, but for the most part people are happy with the official seals.

The ballot boxes are then transported by the police force to the nearest "count center". The next morning, the seals are inspected and those ballot boxes are opened. All of the ballot boxes in a constituency are counted together in a secure, but open area. Here's a flickr set with a good number of photos showing how it's done:

https://www.flickr.com/photos/redmum/sets/72157600270850764

the counters are within the fenced area, and the observers - including many people from the political parties, surround the fence. The entire process is easy to see.

One particularly important part is what happens when the boxes are opened. The contents are just dumped out on the table and one by one each vote is turned to face up and towards the observers. The observers then "tally" the votes and mark which candidate (or referendum choice) the voter marked as their first preference.

All parties participate in this tally and it provides the first take on what the result will be. The margin of error on the tally is < 1%. Some tallies with enough tally-takers also count the 2nd and 3rd preferences, but most tallies just project the transfers (we use a transfer based voting system) and that too is generally accurate.

Contentious votes with identifying or ambiguous marks and so on are kept aside and argued over by people like me for an hour or so, but they never make much of a difference.

The end result is a process is very verifiable and auditable, in easy-to-understand human ways; you can literally show up at a count center and count the votes yourself as they come out of the boxes, and make sure that you're not being duped. That's a nice accessibility property too.

[Maxious]

This request came after an election in Australia where during a recount 1375 votes originally tallied were unable to be found http://www.aec.gov.au/media/media-releases/2013/e10-31.htm

An investigation was conducted http://www.aec.gov.au/About_AEC/Publications/Reports_On_Fede...

Rather than a police force transporting a sealed box, a commercial courier company or volunteer with their own car moved what might not have even looked like an official box (perhaps a printing firm's box) which in the end might have been thrown out in the recycling or might have been maliciously removed as the warehouse doors were left open or when a single security guard was on duty overnight.

As Mr Keelty wrote: "There is less concern for the security and integrity of Senate ballots because it is considered that they have less of an impact on the election outcome and in any event are warehoused for six years. This is a cultural problem within the AEC and it needs to be addressed. The fact that it had been thirty years since the last full recount of Senate ballots most likely added to the loss of care in routinely dealing with those ballots during the election."

[aianus]

I appreciate the thorough response and it does sound better than what I had envisaged.

However, there is still no way for me as an individual to know for certain that my vote has been counted. The best I can do is trust in the physical security practices surrounding the ballot box and the honesty of the volunteers involved. And even with a margin of error of < 1%, elections have been decided by fewer votes than that (~15 votes in my riding in Waterloo, ON in a recent election) and recounts are expensive, slow, and contentious.

I encourage you to watch the tech talk when you have a spare hour. We have the technology to create a much better and more transparent system.

[dobbsbob]

We don't. I remind every group that tries to automate voting in my province that on election day somebody is going to denial of service the system to use it as an attention seeking platform which will just force a physical vote anyways. Other ideas floated like blockchain decentralized voting are also impossible since none of us can run a trusted personal device to vote with, and plenty of voters have no access or don't want access to phones or any other devices. Worse, every couple of elections there's some sort of scandal where a foreign "politically exposed person" has been caught propping up local candidates or outright fielding their own puppet to seemingly unimportant elections like the parks board so they can reap real estate or resource mining benefits. Imagine what kind of havoc a foreign state could wreak on an electronic voting scheme.

It's much more transparent to just do it by hand count though they tried to sabotage that too http://fullcomment.nationalpost.com/2014/03/11/dont-undermin...

[hibikir]

Full, transparency across time makes it easy to buy people's votes, or punish people for voting the wrong way. The moment I can check that my vote was counted, and was counted accurately, then my boss/landlord/wife/friend could pressure me into showing them said record.

The fact that I can vote very differently from what is socially acceptable in my social group, and there is no way for them to know is a feature, not a bug.

[aianus]

Watch the tech talk. It's possible to prove to yourself that your vote was counted correctly and simultaneously be unable to prove it to others.

[vacri]

In Australia, they're counted by an government official, and overseen by mutually hostile volunteers (scrutineers) supplied from the major parties. It's boring to be a scrutineer, but it's in the major party interests to ensure they are sent.