Slashdot Mirror
E-Voting Company Reveals Their Source Code
Kodi writes "VoteHere has decided to release their source code so that other people will have confidence in it (MSNBC, press release.) It's definitely NOT open source (unlike OVC) but it's still a step in the right direction."
1) Pain in the ass. Asks me to submit my Full Name, Organization, and email. Along with an Opt-Out in check mark for a newsletters and licence agrement.
2) You may not download this Software if you are located in any country (or are a national of a country) subject to a general U.S. or U.N. embargo or are deemed to be a terrorist country (i.e., Cuba,Iran, Iraq, Libya, North Korea, Sudan and Syria). Ouch! Why the patriotic license clause?
3) A quick glance at the source code seems to indicate that it's cygwin dependent C++. Not really the best platform to open your source code on since the windows world encourages closed development.
Also, who's to say that this is the source code that will be compiled on the voting terminals? What prevents any e-voting company to build binaries that have "secret conspiracy back doors" in them? Are voting polls expected to compile their own code? And if so, why chose windows when there is no built in compiler available by default on that platform?
Where's my voter-verifiable paper printout?
"Righteous speed demon and trust fund party darling of justice"
And even then, how is any random voter (geek or not) going to be reassured that the proper, open software is what's actually running on the machine he's touching??
I'm sure we can all think up tricky ways to very the code - maybe provide a "verify code" button which prompts for a passphrase, then generates a hash using that and the software, providing a printout that the voter could verify against a secure web page, using the same passphrase. That would work unless you're paranoid enough to think that maybe there's a second eprom in there that's actually handling the machine, checksumming against the original, unused version...
No, I think it's pencil-and-paper time again. Can anyone think of a really pressing need to use some kind of electronic vote machine, other than the "we can declare the result instantly!" reason?? I venture to suggest that voter confidence in an honest election ought to outweigh any "instant win!".
Sadly, society in this country has been pushed more and more towards instant gratification for minimal investment. Instead of wielding a pencil to make a mark you now barely have to touch the display. Instead of waiting a day or two for the results, you can watch the numerous "results" shows on TV as they attempt to predict the winners.
Election reforms I'd propose: 1) Pencil and paper ballots; 2) Absolute blackout of media coverage, at least until the polls close *all* over the country. None of that instant win crap on the East Coast while West Coast, Alaska & Hawaii voters are still making up their minds...
Revealing source code is good, but that doesn't gaurantee that the code you review is the same code actually running in the deployed machines.
Some people would like to see paper trails and code review as a backup security measure, but I have another option I could feel comfortable with. How about a neutral third party, mutually selected by the state/city/etc and machine supplier? This third party can act as the review agent for the code, even bringing in outside experts. Public review of the code could even be done if all parties agree that this is the best thing to do.
Finally (and here is where I think things get better), the escrow company actually builds the reviewed code, performs quality and acceptance tests. This code built by the third party is then released to the state for installation in their machines. The machine supplier never releases code directly to state/county/city/etc.
Many large corporations use similar schemes to manage mission critical code. The IP still belongs to the machine supplier, of course, but there is now a very public and verifiable step in the process to ensure trust in the system.
We've been having e-voting in Brazil for ten years now, the machine's source code is not open, it's a small machine that saves the result on a disk and prints a confirmation with each vote.
In ten years we had three presidential elections, as well as elections for governors, mayors and senators, all of them with e-voting, citizens between 18 and 60 years MUST vote (between 16 and 18 and above 60 voting is optional).
In this ten years, with plenty of elections and huge ammounts of votes not ONCE the result of an election have been contested by any political parties (winning or losing, left or right), individuals or the media. Usually the official results are released in one or two days after the election.
So my question is: Why the big fuss about e-voting in the USA?
This is not a free software project! They didn't release the code to get the benifits of the open source development methodology, or to give back to the community. They released it so that the source could be audited by anyone who cared to do so, and the framework they provided is sufficent for this. Transparency has long been deemed important in the security world and has it's own benifits that still exist even without a distributed development method.
I don't understand what your concern is, because I don't see how setting up a public CVS would improve the quality of the software. People who are interested in audititing this code do not need direct access to CVS and the lack of it will not deter them from doing so. The only way that CVS could help is if developers joined the project for fun or to scratch an itch, and happen to find bugs in the process, but I don't see any reason that this would be the case. Auditing is meticulous work. It is not the type of thing that joe-schmoe open source programmer does for fun. It is the kind of thing that security experts do, and if they are the only ones that are attracted to this code then there is nothing wrong with that.
They needs to be a standard way to refer to different licenses.
Most lay people would assume that open source means you could look at it. But in tech circles that is not the case. It has to be more than that.
And does the tech definition of open source include BSD, GPL, public domain, etc licenses?
Or is it just refering to GPL?
Or does it depend on who you ask.