Slashdot Mirror
Australian Electoral Commission Refuses To Release Vote Counting Source Code
angry tapir writes: The Australian Electoral Commission has been fighting a freedom of information request to reveal the source code of the software it uses to calculate votes in elections for Australia's upper house of parliament. Not only has the AEC refused an FOI request (PDF) for the source code, but it has also refused an order from the Senate directing that the source code be produced. Apparently releasing the code could "leave the voting system open to hacking or manipulation."
... through obscurity. What could possibly go wrong?
Apparently releasing the code could "leave the voting system open to hacking or manipulation."
Makes me wonder who has access now and does not want competition?
I am the unwilling control for my Origin.
it's not those who cast the votes, it's those who tally them up that count.
You can't handle the truth.
It's software to tally it up. There's always a paper backup. As an Australian, this worries me.
While our senate voting system is a little odd, adding up the votes isn't simple and can't be done on election night, so it's no surprise to see software being used to calculate it, but with that said, all it has to do is do a number of rounds as candidates reach their quota, and when no one has a quota in that it eliminates the last candidate and moves the preferences accordingly. Our last election, there was even an instance of ~2000 ballot papers going missing, and then supposedly resurfacing much later. The High Court decided on another election for the state involved, which in my opinion is the only fair outcome possible.
If they're worried about hacking it, it's a complete farce; there's no reason why the computer doing the sums even has to be connected to the internet, seeing as I think all the ballots are counted by people (they're farcically large ballots often described as table cloths), they just plod in a few numbers as the data comes in. Someone must be worried that competent, impartial people will have a look and find something which has been giving out porky pies.
Or it could lead officers on the commission to jailtime. Just sayin.
This is ridiculous. The Australian government has already sent the software to Russia for peer review, and they determined that it worked perfectly during the Crimean referendum.
I see no reason why the code should be further made public.It could only lead to compromise.
GrpA
Enjoy science fiction? "Turing Evolved" - AI, Mecha, Androids and rail-gun battles. What more could you want?
Sounds like someone is already manipulating the count because they don't want you to see how it is done. Seriously, come on, you can use these in an airgapped settings (USB sticks back and forth?) so hacking should never have been an issue if your system is otherwise clean.
If your software isn't secure when your source is open, it isn't secure when it's closed. Either it's secure or it's not, but if part of maintaining that security is keeping the source under wraps, your not thinking about security properly. You wont find encryption software claiming that by keeping it souce closed it is increasing it's resilience. If your code can't stand up to scrutiny, then you probably shouldn't be using it,
It's in the interest of national security and the war on child pornography to keep the vote tabulation methodology secret.
Then vote to have it released
Table-ized A.I.
>A system that few know is far more secure than an open one.
This is very wrong, though it is a common misconception. But, since the system in question is dealing with the fate of a country it also dangerously wrong.
The ramifications of a security leak for this software would (surprisingly) be almost nil; politics is a game played by players and if the numbers don't suit what they want then they make them up.
Almost certainly, the reason the info isn't being released is because the software was done by a private contractor on some sort of dodgy deal, and some minor head will roll when it eventually comes out.
Apparently releasing the code could "leave the voting system open to hacking or manipulation."
Maybe they just shouldn't have used code that they know or expect to have vulnerabilities. Open it up to the public; there are plenty of people who will look at it and help fix it.
Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
Does the thing run only on Windoze 8 ?
Window anyway.
It's a VB6 program running on a single PC, supposedly for security reasons. The system is highly manual and failure prone enough that they're probably too embarrassed to release the code.
The system was developed internally by the AEC in 2001, when an upgrade to Windows 2000 rendered an existing COBOL-based application the commission was using to tally-up union elections incompatible with its standard operating environment. It was re-written as a Microsoft Visual Basic application and runs on Microsoft SQL.
http://www.itnews.com.au/News/...
http://www.crikey.com.au/2013/...
"I've got more toys than Teruhisa Kitahara."
Wow. Next thing is introduction of invisible ink on ballots and invisibility cloaks for people monitoring voting stations...
"The AEC rejected the FOI application, citing section 45 of the FOI Act, which exempts "documents that disclose trade secrets"."
You don't expect that trade secrets should be made public, do you? Look the code is not open source and is valuable intellectual property... so I hope I don't get my ass sued off for revealing it here:
int voteCount = votes.Count();
The Australian government has had a bit of a weird relationship with open source voting software. For example, the source for the eVACS voting system is available to download. It is not, however, easily buildable - they've specifically removed all config files, design specs, and instructions on how to get it into a usable state. You can look at the source to see the maths behind the scenes, but you don't get to play with a working copy.
As an aside: The man who made the FOI is a friend of a a friend, and I was only slightly surprised to see him on the front page of slashdot. It was probably bound to happen one day.
"Security through Obscurity is a Fallacy"(tm). These are words my cryptography professor said on the first day of the course. He repeated it when necessary. The logic is pretty straightforward: knowing the locks on your house doesn't make it easier for a criminal to break in to your house. 10 tumblers and hardened steel deadbolts are common knowledge, and a hard lock is a hard lock (both to pick and to break). I will repeat it: "Security through Obscurity is a Fallacy"(tm). The Australians refusing to show the source are being silly.
Aussie here, posting anon because I work for the Gov.
Honestly there's nothing too surprising about this. Australia is very pro-proprietary it would seem in terms of software and formats. We love using Microsoft products everywhere and Linux is never seen on a desktop, and barely outside of a server room (not including phones of course - we're not too bad in Android use). For the most part, there's no real push for openness or freedom of code as there is particularly in many European countries. I wish it weren't the case and not all of us are blind slaves to this, but there's no culture of openness or any real push to improve on the openness front. The fact the AEC believes that revealing the code constitutes a security risk just goes to show how little the FOSS culture has penetrated the Government.
Apparently releasing the code could "leave the voting system open to hacking or manipulation by the wrong people."
So what the AEC is saying is that the election is safeguarded by what is called "security by obscurity". Or in other words, rather than having the software open so that security researchers can point out its flaws, you leave the flaws in place and hope that nobody knows what they are.
People who rely on this method, are known in security circles as "blathering idiots", "damned fools", "corrupt officials hiding something", and various things like that.
It's the moral equivalent of giving all the paper ballots to one single pointy headed official, asking him to count them, and then believing whatever number he decides to cough up. That's what you expect in Cuba, and other dictatorships.
From 10 Sep 2013, you really want paper ballots in the open been counted by hand with lots of staff, election observers around.
http://www.abc.net.au/news/201...
The complex Single Transferable Vote math has been used around the world for many, many years now in different forms. This rush to keep computer code is interesting.
Domestic spying is now "Benign Information Gathering"
Whenever the topic of whether or not the source code to voting machines should be inspected, I always point here: http://gaming.nv.gov/index.asp... and ask: 1) What do you think would happen to your slot machine if you told those guys you weren't going to show them your source code? and 2) Why not let these guys look at the voting machines, too. Seems like a transferable skill.
releasing the code could "leave the voting system open to hacking or manipulation."
In other words, any current or previous programmer in the development team could manipulate the vote results if one wanted to.
Any reasonable man would conclude that should be enough reason to stop using it.
Oliver.
Each Polling booth should have 2 machines.
At machine 1 you enter your vote (using whatever user interface that is appropriate) electronically.
This machines prints out a piece of paper that confirms your vote visibly for you.
You then insert this vote in to machine 2 which echoes your vote on the screen and tallies the vote independently of the first machine.
If you do not submit your paper vote within 20 seconds an audible warning is sounded "you have not voted correctly" blah blah
Each machine type must be supplied from a different supplier/manufacturer to specification.
You actually 3 independent ways (machine 1, machine 2, Paper ) of counting the votes for which there should be no reason for them not to all match
Australian elections are still paper ballots.
This is just a paper counter.
Security by obscurity - just one more way to hide what you are doing... Truth be told, how can the citizenry accept a committee refusing senate ordes and FOIA requests ? Is it not time to stand up and demand fully transparent government, is it not time perhaps to put an end to more than 4 years in office. Is it not time to implement perhaps something like a meritocratic process for the elected to ensure our western governments are not run by nincompoops only looking out for themselves and in politics for the sake of power and money, why on earth would you want to keep secret how elections are being held. It is only by open scrutiny and failsafe mechanisms one can ensure free and open elections. Do we not send observers out in the world to ensure we see free open elections taking place, do we not criticize when we do not see such open and free elections. What is the difference between looking at abstract code and a human being looking at how counting is being done manually.... zero !!! In fact having humans peruse the code is comparable to having observers observe an election to make sure the code performs the task properly. Just like our government seem to like to spy on their people, following their every sms, their every phone conversation, their every email, their every opinion, perhaps it is time for the people to "spy" on their government by having responsible politicians put into effect completely open voting systems and laws opening up every aspect of government and demand complete insight into the electoral process going on inside the voting machines. One could perhaps even consider a lottery where people are selected for for civil service for a period of some years and placed in a non refusable position at some time in your life, age naturally with a guarantee of ability to continue in jobs etc. after ended service. This way you will eliminate the"livelihood politicians" i.e. those who have chosen politics as their livelihood, some even jumping perhaps from party to party, from "belief to belief" according to public opinion just to be able to cling on to a well paid seat in parliament or elsewhere in the system. The same should be done for the civil servants so as to ensure we not in reality are governed by a group of civil servants while the elected perform democratic theater thinking they are in control. The task of any politicians and the political system as a whole should be to ensure that the citizens are free to live their lives as unrestricted as possible, to create a society that allows the individual as much freedom as possible to live life in a way of that individuals choosing. To create the framework where within jobs can be created by the productive citizens of a country. The western democracies need a complete reboot so that the slide towards secret corporate run governments can be averted. We need to free government from undue influence from all power structures other that the citizens themselves. This refusal is a prime example why it is time to wake up and take action before it is to late !!!
MS, ALS, Aphasia ? http://globability.org - Me http://einarpetersen.com
The article is very light on detail.
However, I'd like to clarify some incorrect, or at least out-dated, points in your post.
The AEC does use software for keeping track of votes.
But it was not written in VB6. Nor was it written in 2001.
How do I know this? Simple. I was on the team that wrote it.
I was on the project in 2012/2013, though the project has existed before and after that.
The AEC does/did have some legacy COBOL systems. But this isn't one of them.
I don't want to go into detail because a) it would be inappropriate and b) I don't know enough about the agency outside of the project to represent them adequately.
The software went partially-live during the last election to show that it worked and it met all milestones. It will likely see further use and development in the future.
The previous poster was me... For some reason it came through anonymously. Sorry about that. But, while I'm at it, I'd like to clarify that there are separate systems at play for 1) tracking votes and 2) tracking vote results. These are separate problems and you do not want the same system doing this. Why? Because there's something uncomfortable about a system that tracks who you are, where you are and how you voted. :)
Gee... do you think our unelected JEWISH 'masters' could possibly have anything to do with this?
http://balder.org/judea/Hate-Speech-Laws-Immigration-Jewish-Influence-Britain.php
http://balder.org/judea/Hate-Speech-Laws-Immigration-Jewish-Influence-USA.php
http://balder.org/judea/Hate-Speech-Laws-Immigration-Jewish-Influence-Canada.php
http://balder.org/judea/Hate-Speech-Laws-Immigration-Jewish-Influence-France.php
http://balder.org/judea/Hate-Speech-Laws-Immigration-Jewish-Influence-Ireland.php
Why are Jews allowed to torture baby boys? How are they allowed to get away with the sick crime of 'circumcision' (or 'male genital mutilation', as some of us prefer to call it)?
So why do you think they are so strongly resisting the release of the code? It sounds like having extra people examining it for errors could only be a good thing, assuming accuracy is all you care about.
How would the system assign votes to identities? The ballot papers are anonymous, and Australian elections are supposed to be a secret ballot.
Actually it's easier to mess with paper ballots. Messing with software leaves a trail.
I) Messing with software doesn't necessarily leave a trail. For example, a system by which your votes are tallied and the results placed in a file on an SD card for collation in a central location, relying purely on security by obscurity, means that you could mess with the data file in transit and no-one would be any the wiser.
II) It's easier to mess with paper ballots, principally because comptuer systems are understood by fewer people than slips of paper. For precisely the same reason, it's much harder to audit voting systems involving computers. Widespread fraud in paper voting systems is difficult to pull off, because the manual nature requires a lot of observers, and most people can understand handling votes in a trustworthy manner. Voting systems based on computers can be manipulated by a single agent, often without a trace. And the pool of people capable of auditing them shrinks the more complex you make them - mickey-mouse ciphers included.
Paper voting spreads trust over a large number of people. Computer voting concentrates it in the hands of a very small technically adept priesthood, much easier to buy off or intimidate. I'm the first to geek out about some cool new method of using crypto, but I've come to realise that as much enthusiasm I have for the technology, I'm not really comfortable trusting the election of my government to it because it's so easy to subvert.
First of all, I wrote the previous post at work and, in the chaos of my office I think I misread the original post.
I worked on the software that tracks when and where a person votes.
ie: You walk into a polling station, present your ID and then get given a ballot form. The system records the time, location and TYPE of vote against your ID and synchronises that to a central database in near real-time. It does NOT record WHO you voted for. I'm sorry that I gave that impression. My bad.
I am not familiar with the software used to determine the outcome of votes. But, and this is speculation on my part, I can't imagine that it would be overly complex.
I'm honestly not sure why one wouldn't want to release the code. If nothing else, it might be nice to have a 'reference implementation' for a democratic vote tallying process. I assume a reasonable reason might be that it has not been audited for public consumption. Even a simple audit requires time and money. Both of which are in short supply at the AEC.
Indeed you are correct. See my above reply to 'gronofer'. I mis-understood the original article. I worked on a related but separate system. I apologise for misleading you, even though it was unintentional.
The details of where you voted, when you voted and the type of your vote are attached to your ID. But, WHO you actually voted for remains completely anonymous... So don't fret. :)
My system was used (among other things) to determine if/when/how a given person attempted to vote more than once. The funny thing is a significant proportion of these offenders turn out to be elderly people who simply 'forgot' that they had already voted. Seriously.
Apparently releasing the code could "leave the voting system open to hacking or manipulation.
Or shows the possible backdoors already in the code to the public?
You could talk to Dr Clive BOUGHTON http://people.cecs.anu.edu.au/user/3758, I think he was involved in creating this software.
They can only be sure that it will leave the system open to this, if that is what they use the system for themselves. I'd say that's a confession that any judge should honor.
We have it no better here. 60 minutes did an expose` showing how with just a little bit of physical access to a voting machine (which majority party representatives have since they are 'responsible for checking the machines before elections) you can make any result you want come out of our electronic voting machines regardless of what the input was in the voting booth. There have only been 2 times in recorded history that the actual outcomes in a voting district severely varied from the actual results once tallied.. once in Florida... and once in Ohio.. swing states that got baby Bush elected on each of his terms of office. In both cases requests were made for the paper records to review the results and in both cases the requests were denied. The things that make you go HMMM....
If I sound stupid, it's not me talking....
There is a key piece of information which might not be immediately obvious to non-Australians and that is that our voting system is wholly paper-based, other than the one step where they enter the Senate votes into this computer software to run the count for them. Since they manually tabulate and publish the raw vote counts beforehand (technically above-the-line votes but below-the-line votes are rare and almost never change the outcome), it is possible for others to verify the official count. In fact, the ABC usually predicts the results accurately well before this software is run.
All of which makes the AEC's claim that publishing the source code might allow someone to manipulate the system extremely odd. The only interaction anyone not working for the AEC has with this software is writing on the ballot paper with a pencil. I noted that the FOI request explicitly did not ask for any of the code behind the scanning of the ballots, so even the possibility of somehow confusing the reader with carefully crafted ballot markings is not a risk. I can't speculate as to what their real reason is but this official reason makes no sense at all.
One way of putting #2 is that it's easier to mess with paper ballots, but harder to mess with a lot of them and get away with it. If you want to change 100,000 paper votes, a lot of people are going to have to be in on it.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
True, but I think old Doc Barnowl actually just out a word.
II) It's easier to mess with than paper ballots,
Science is all about firing a drunk pig out of a cannon just to see what happens.
Or I just misread it. D'oh.
Science is all about firing a drunk pig out of a cannon just to see what happens.
You miss the point; obscurity is a useful tool, not the only one. If we were using only obscurity, you're be absolutely right. However, it's (hopefully) not. However, there are most certainly vulnerabilities (All software has vulnerabilities) and exposing the source code increases the tools that a malicious hacker has for attacking the system.
if you can't release your source code due to it exposing vulnerabilities or methods of manipulation, you need to re-write your code.
If the source code cannot be revealed to keep it safe from vote hacking keeping it secret limits the vote hackers to the government.
That only applies when transparency is not a competing security mechanism.
In this case, transparency protects from institutional and insider attacks on the system of self-governance. Obscurity simply protects the mechanism from observation. One must ask which is more important.
I'd be more uncomfortable with the lack of authority chain from my vote to the vote tally. The absence of this clear chain opens the system to fraud. The electronic version of ballot stuffing.
Two of my imaginary friends reproduced once
Executive Summary
"There is insufficient evidence available to allow independent observers to state reliably whether the results declared in the May 2008 elections for the Mayor of London and the London Assembly are an accurate representation of voters’ intentions. Given these findings, the Open Rights Group (ORG) remains opposed to the introduction of e-counting in the United Kingdom, unless adopting ORG’s recommendations for increasing the transparency around e-counting can be proved cost effective."
Fucking god lol..........
Someone who has a problem with private code voted my initial post down to troll.
Interesting
What I was trying to point out is that private encryption can be much more secure than public.
obviously there needs to be oversight.
A carefully managed system with a private encryption system can be very safe, and far less costly than an open one. But it does mean you can't publish the code.
Given the recent heartbleed issue. How secure is open source?
I would be more interested in knowing the parameters and outcomes of the software.
Otherwise the code could be as simple as 1+n where n are all the prior votes counted.
Sounds too simple to be an issue so I assume it's got to be a lot more complex than that.
The electoral rolls are marked by hand in each polling place. Even if all sheets are scanned then checked later, it should be a no-brainer piece of code.
Don't be apathetic. Procrastinate!
You know, they have a technique where I vote for making sure I don't accidentally vote twice. I sign the book when I get my ballot, and if I've already signed I know I've already voted.
Paper is wonderful for elections. It's understandable, impossible to manipulate globally, has fairly obvious security measures to try to stop local manipulation, and leaves a tangible record for audit and recount purposes. Add electronic tabulation to speed up the counting process, and what more could you want?
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
First of all, I wrote the previous post at work and, in the chaos of my office I think I misread the original post.
I worked on the software that tracks when and where a person votes. ie: You walk into a polling station, present your ID and then get given a ballot form. The system records the time, location and TYPE of vote against your ID and synchronises that to a central database in near real-time. It does NOT record WHO you voted for. I'm sorry that I gave that impression. My bad.
I am not familiar with the software used to determine the outcome of votes. But, and this is speculation on my part, I can't imagine that it would be overly complex.
I'm honestly not sure why one wouldn't want to release the code. If nothing else, it might be nice to have a 'reference implementation' for a democratic vote tallying process. I assume a reasonable reason might be that it has not been audited for public consumption. Even a simple audit requires time and money. Both of which are in short supply at the AEC.
They could release pseudo code instead of machine code. That way we could be sure that the code works without having to reveal vulnerabilities to potential hackers. And if a hacker/black hat can leverage a problem found within the pseudo code then the whole thing should be rewritten.
Releasing the source code for software does not make it vulnerable to hackers. If that was the case, nobody would use GnuPG.
"Nationalism is an infantile sickness. It is the measles of the human race." -Albert Einstein
Probably missing something, but why do you need a sepereate system to track vote results> Could the system that tracks votes not just do a tally...
If you ignore ACs because they are anonymous - you're an idiot.
I'm surprised there is any software to release given the mainly manual nature of our voting system. I'd be more concerned that the transposition from Paper ballots to Paper Tallies to a Computer might be inaccurate. More likely than the software organising the results would be flawed in my opinion.
Wolja Future Tombstone: Shit happened then I died
It's true that there is no difference in security between
* A closed source, perfect, crypto component
* An open source, perfect, crypto component
If it's perfectly secure, the privacy of the source code makes no technical difference.
private encryption can be much more secure than public
As above, if the security of your solution is perfect, privacy makes no difference - public can be much more secure than private.
The privacy of your solution DOES make a difference to other factors.
* Trust
People are more inclined to trust something they can inspect. If someone says "my security system is PERFECT... but you can't look at how it works", my first impluse is to think that they have something to hide. And that something could be a super cool proprietary technology, but it could just as easily be a gaping security hole a script kiddie could exploit. Given the fact that if you patent your super cool technology, the detail of it is public anyway, but I still can't steal it, the bias is that it's far more likely to be that your solution has problems, whether they be stupid mistakes, back doors for the NSA to exploit, or rude comments in the source code.
* Peer review
Good security is hard. Even if you're some kind of security savant, people think differently and someone may spot a gaping hole in your solution that you just have a blind spot to. Open, standard security technologies have multiple people poring over them looking for holes. There are people who get their kicks that way. Exposing your technology to as many of them as possible and letting them tell you what their opinion is, is the best way to evaluate your solution.
It's easy to come up with something YOU can't break. It's much harder to come up with something that no one can break. The difference between private and public is that you'll only get to find out AFTER something is depending on your solution not breaking.
Skype make a pretty big deal out of the security of their solution, but the truth is that leaked documents have made it very obvious that intelligence agencies can trivially intercept Skype communications - and we don't know whether this is because there are back doors, or because the security of the protocol is just crap, because we can't inspect the source code and there is no public documentation of the protocol. It's most likely there are back doors, because properly implemented crypto is not trivial to break. So this is a private system that many people trust, yet it's obviously not worthy of that trust.
So closed-source security solutions are not the best idea, for exactly the reason you propose that they ARE.. if you keep the source private, you keep the security holes private. It will just take longer for someone to exploit them, or it will be insiders that exploit them. If you open the source up, when holes get found... yes, some of them will be by bad actors. But some will be found by people with an interest in seeing them fixed.