Slashdot Mirror

← Back to Stories (view on slashdot.org)

Australian Electoral Commission Refuses To Release Vote Counting Source Code

Posted by Soulskill on from the you-can-trust-us dept.

angry tapir writes: The Australian Electoral Commission has been fighting a freedom of information request to reveal the source code of the software it uses to calculate votes in elections for Australia's upper house of parliament. Not only has the AEC refused an FOI request (PDF) for the source code, but it has also refused an order from the Senate directing that the source code be produced. Apparently releasing the code could "leave the voting system open to hacking or manipulation."

26 of 112 comments (clear)

  1. Security by Anonymous Coward · · Score: 5, Funny

    ... through obscurity. What could possibly go wrong?

    1. Re:Security by Anubis+IV · · Score: 3, Insightful

      It's not just a matter of what could go wrong. It's a matter of what has already gone wrong. They've traded the possibility that a vulnerability will be used to compromise the system for the certainty that the system will be compromised from the get-go. The whole point of securing a system such as this one is to ensure the credibility of the results, but security (regardless of the variety) can't add credibility to something that never had it to begin with.

  2. Hmmm, by Lost+Penguin · · Score: 4, Insightful

    Apparently releasing the code could "leave the voting system open to hacking or manipulation."

    Makes me wonder who has access now and does not want competition?

    --
    I am the unwilling control for my Origin.
    1. Re:Hmmm, by Anonymous Coward · · Score: 5, Insightful

      that is a myth, obscurity is a valid security mechanism, it just should not be the only one. good security uses all means available to delay, ward off or prevent security breaches.

    2. Re:Hmmm, by Anonymous Coward · · Score: 2, Informative

      Australian senate elections don't use electronic voting machines to record elector's votes.

      The AEC use this software to allocate preferences derived from the 'group voting ticket' ballots on pieces of paper (http://en.wikipedia.org/wiki/Group_voting_ticket)

    3. Re:Hmmm, by TWX · · Score: 4, Insightful

      But for security through obscurity to work, the level of obscurity required is generally high, bordering on outright-secret, or the payoff needs to be so scant that there's no reason to bother in the first place.

      Security through obscurity might work for something like a power plant control system because we don't know the architecture of the hardware that it runs on, the operating system or if there is a third-party OS, the language it's written in, or even its name, and given the importance of the application it probably wouldn't be permanently Internet-connected, and if it needs to send out notifications it might communicate through a unidirectional RS232 link or something along those lines, or through a transmit-only fiber link (so that there's not even receive hardware on the platform). Certainly there would be some people that really want to break in, but it's exceedingly unlikely that they'll ever be in a position to do so.

      Security through obscurity can also work when the system is not terribly important. I don't doubt that the Energy Management System controllers that interface the HVAC systems in commercial office buildings to the computer networks are garbage as far as their code is concerned, but there's not much someone can do with those in most cases. So even if there's ability, there's no real payoff, and the systems are so incredibly simple and underpowered that they'd make for poor intermediaries in a greater attack even.

      By contrast, voting equipment is usually distributed widely and is not particularly heavily guarded, and as it needs to be inexpensive to produce in mass quantities it's often commodity hardware, off-the-shelf parts if you will, and there have been documented cases of electronic voting hardware have exposed and functional USB ports. As vote tallies are imortant it's not inconceivable that someone could borrow or steal a voting machine to figure out how it works and to find some way to mass-tamper with them, like distributing USB fobs to their fellows to use on them to load a package. In these cases, obscurity simply doesn't work because the system can't remain obscure.

      --
      Do not look into laser with remaining eye.
    4. Re:Hmmm, by Bert64 · · Score: 2

      Security through obscurity is an accident waiting to happen... When you talk about a system that noone would bother trying to hack, consider the bitcoin exchange mtgox - it started off as a simple site for trading game cards, and initially bitcoins had very little value - there was very little interest in hacking it. Then pretty much over night bitcoin exploded in value, making it a very tempting target indeed.

      Also when you talk about a power plant system, a one way link is the security, not the obscurity aspect.

      A secure system is one where even those who know the system inside out cannot break into it.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    5. Re:Hmmm, by Wootery · · Score: 4, Funny

      Wait a minute. You're saying pre-SP Windows XP isn't secure enough to be trusted as the basis for a country's democracy?

      Now I've heard everything.

    6. Re:Hmmm, by FatLittleMonkey · · Score: 2

      Security through obscurity might work for something like a power plant control system because we don't know the architecture of the hardware that it runs on, the operating system or if there is a third-party OS, the language it's written in, or even its name, and given the importance of the application it probably wouldn't be permanently Internet-connected, and if it needs to send out notifications it might communicate through a unidirectional RS232 link or something along those lines, or through a transmit-only fiber link (so that there's not even receive hardware on the platform).

      Power companies don't develop bespoke security on their control systems (and would likely suck if they did). A particular power system most likely use off-the-shelf 1970s or '80s Siemens systems whose specs are widely known through the industry because of the decades of technicians who have worked on them.

      For example: http://www.wired.com/2013/10/ics/

      Security through obscurity doesn't work because it relies on the security of your obscurity, and most of the time your obscurity is weak. Key-based crypto systems are a form of security through obscurity, the obscurity is your key. But you have a reasonable ability to control the key, if they are issued per-person/per-session/etc. A key crypto system becomes useless if the key is distributed to multiple people, because you've breached the security of your obscurity. OTOH, the back-end system for the key-crypto cannot be obscure because someone other than the individual user had to develop it, install it, maintain it, operate it, etc. The same is true of the power station example, since there must be thousands of people trained to maintain such systems, plus all the developers/etc at Siemens, plus any rival company who's reverse engineered a Siemens system to develop "compatible" systems, plus... In the case of a voting system, you've got all the system devs, all the system maints, all the people who have access to the secret Trust Me computer when it's in use, all the people who have access to the secret Trust Me computer when it's not in use, etc. Your obscurity is inherently insecure.

      But in the case of voting (or vote counting, in this case), we don't want security through obscurity specifically because obscurity is a known risk in voting systems. We want security through multiple independent observation of the entire process, the more observers the better. A vote count that is carried out entirely within a piece of code on a computer is, by definition, no matter how secure and air-gapped and guarded that computer, unable to be observed by independent observers. It lacks the fundamental requirement of being verifiable.

      That's why you can't beat a hand count.

      [If they want to put the count on a computer, then every piece of data (in this case, the preference information on individual ballots) should be put on-line - in addition to the hand count. That way, hundreds of independent, 3rd party systems can do a quick electronic count, not just the AEC's secret Trust Me box. (Parties, NGOs, media networks, university politics professors, university statistics students, etc.) Likewise, during the data entry process by AEC officials, on-site observers watching over their shoulders would be able to, would be encouraged to, enter each ballot into their own separate (tablet/laptop-based) systems. If the results of the later official hand count disagrees wildly with the majority of 3rd party systems, it's cause for panic/re-count/inquiries. If a few 3rd party systems get different results from the majority, there's probably a flaw in those. In net, you end up with multiple, overlapping, self-reinforcing and completely open counting systems that assures everyone of the integrity of the system and which gets stronger over time, while at the same time giving the advantage of faster (electronic) results.]

      --
      Science is all about firing a drunk pig out of a cannon just to see what happens.
  3. of-course by roman_mir · · Score: 5, Insightful

    it's not those who cast the votes, it's those who tally them up that count.

    --
    You can't handle the truth.
    1. Re:of-course by Anonymous Coward · · Score: 3, Funny

      In other words, it's those who count that count.

  4. This is complete crap!!! by sd4f · · Score: 5, Informative

    It's software to tally it up. There's always a paper backup. As an Australian, this worries me.

    While our senate voting system is a little odd, adding up the votes isn't simple and can't be done on election night, so it's no surprise to see software being used to calculate it, but with that said, all it has to do is do a number of rounds as candidates reach their quota, and when no one has a quota in that it eliminates the last candidate and moves the preferences accordingly. Our last election, there was even an instance of ~2000 ballot papers going missing, and then supposedly resurfacing much later. The High Court decided on another election for the state involved, which in my opinion is the only fair outcome possible.

    If they're worried about hacking it, it's a complete farce; there's no reason why the computer doing the sums even has to be connected to the internet, seeing as I think all the ballots are counted by people (they're farcically large ballots often described as table cloths), they just plod in a few numbers as the data comes in. Someone must be worried that competent, impartial people will have a look and find something which has been giving out porky pies.

    1. Re:This is complete crap!!! by sd4f · · Score: 4, Insightful

      Should have finished reading the article, this bit at the end is probably the truth;

      "In addition, I am advised that the AEC classifies the relevant software as commercial-in-confidence as it also underpins the industrial and fee-for-service election counting systems,"

      What's probably happening is that some "IT" company whose only client is the government/AEC probably makes a fairly decent earn out of licensing out the software and supporting it during elections. There's a fair bit of corruption like this in Australia, and I am starting to think that someones taxpayer subsidised livelihood is at stake here. Reality is this should always have been open source software and probably available on the AEC website for anyone to download and try out with the full set of figures that are counted.

    2. Re:This is complete crap!!! by Mjec · · Score: 4, Interesting

      What's probably happening is that some "IT" company whose only client is the government/AEC probably makes a fairly decent earn out of licensing out the software and supporting it during elections.

      We know actually that the software is developed in-house. The AEC does earn some money from licensing the software to other electoral commissions and from using it in union ballots etc.

      However, I argue [pdf] that the code used for counting the Senate could be released, because no other election operates that way. What's more I don't think the AEC's competitive edge in the world of elections comes from their great software.

      --
      "But everyone should know everything." -markab
  5. Nothing to see here, move along. by GrpA · · Score: 4, Funny

    This is ridiculous. The Australian government has already sent the software to Russia for peer review, and they determined that it worked perfectly during the Crimean referendum.

    I see no reason why the code should be further made public.It could only lead to compromise.

    GrpA

    --
    Enjoy science fiction? "Turing Evolved" - AI, Mecha, Androids and rail-gun battles. What more could you want?
  6. Take a note from encryption by Anonymous Coward · · Score: 3, Insightful

    If your software isn't secure when your source is open, it isn't secure when it's closed. Either it's secure or it's not, but if part of maintaining that security is keeping the source under wraps, your not thinking about security properly. You wont find encryption software claiming that by keeping it souce closed it is increasing it's resilience. If your code can't stand up to scrutiny, then you probably shouldn't be using it,

  7. Of course they can't. by edibobb · · Score: 2

    It's in the interest of national security and the war on child pornography to keep the vote tabulation methodology secret.

  8. Flawed vote tallying code by penguinoid · · Score: 4, Insightful

    Apparently releasing the code could "leave the voting system open to hacking or manipulation."

    Maybe they just shouldn't have used code that they know or expect to have vulnerabilities. Open it up to the public; there are plenty of people who will look at it and help fix it.

    --
    Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
  9. Re:Could it be Micro$oft ... by ozmanjusri · · Score: 5, Informative

    Does the thing run only on Windoze 8 ?

    Window anyway.

    It's a VB6 program running on a single PC, supposedly for security reasons. The system is highly manual and failure prone enough that they're probably too embarrassed to release the code.

    The system was developed internally by the AEC in 2001, when an upgrade to Windows 2000 rendered an existing COBOL-based application the commission was using to tally-up union elections incompatible with its standard operating environment. It was re-written as a Microsoft Visual Basic application and runs on Microsoft SQL.

    http://www.itnews.com.au/News/...
    http://www.crikey.com.au/2013/...

    --
    "I've got more toys than Teruhisa Kitahara."
  10. It's fair enough by mtthwbrnd · · Score: 2

    "The AEC rejected the FOI application, citing section 45 of the FOI Act, which exempts "documents that disclose trade secrets"."

    You don't expect that trade secrets should be made public, do you? Look the code is not open source and is valuable intellectual property... so I hope I don't get my ass sued off for revealing it here:

    int voteCount = votes.Count();

  11. Corruption by countach · · Score: 4, Insightful

    So what the AEC is saying is that the election is safeguarded by what is called "security by obscurity". Or in other words, rather than having the software open so that security researchers can point out its flaws, you leave the flaws in place and hope that nobody knows what they are.

    People who rely on this method, are known in security circles as "blathering idiots", "damned fools", "corrupt officials hiding something", and various things like that.

    It's the moral equivalent of giving all the paper ballots to one single pointy headed official, asking him to count them, and then believing whatever number he decides to cough up. That's what you expect in Cuba, and other dictatorships.

  12. Re:Could it be Micro$oft ... by Anonymous Coward · · Score: 5, Informative

    The article is very light on detail.

    However, I'd like to clarify some incorrect, or at least out-dated, points in your post.

    The AEC does use software for keeping track of votes.
    But it was not written in VB6. Nor was it written in 2001.

    How do I know this? Simple. I was on the team that wrote it.
    I was on the project in 2012/2013, though the project has existed before and after that.
    The AEC does/did have some legacy COBOL systems. But this isn't one of them.

    I don't want to go into detail because a) it would be inappropriate and b) I don't know enough about the agency outside of the project to represent them adequately.

    The software went partially-live during the last election to show that it worked and it met all milestones. It will likely see further use and development in the future.

  13. Re:Could it be Micro$oft ... by MojoMagic · · Score: 2

    The previous poster was me... For some reason it came through anonymously. Sorry about that. But, while I'm at it, I'd like to clarify that there are separate systems at play for 1) tracking votes and 2) tracking vote results. These are separate problems and you do not want the same system doing this. Why? Because there's something uncomfortable about a system that tracks who you are, where you are and how you voted. :)

  14. Re:Security by obscurity by Dr_Barnowl · · Score: 3, Interesting

    Actually it's easier to mess with paper ballots. Messing with software leaves a trail.

    I) Messing with software doesn't necessarily leave a trail. For example, a system by which your votes are tallied and the results placed in a file on an SD card for collation in a central location, relying purely on security by obscurity, means that you could mess with the data file in transit and no-one would be any the wiser.

    II) It's easier to mess with paper ballots, principally because comptuer systems are understood by fewer people than slips of paper. For precisely the same reason, it's much harder to audit voting systems involving computers. Widespread fraud in paper voting systems is difficult to pull off, because the manual nature requires a lot of observers, and most people can understand handling votes in a trustworthy manner. Voting systems based on computers can be manipulated by a single agent, often without a trace. And the pool of people capable of auditing them shrinks the more complex you make them - mickey-mouse ciphers included.

    Paper voting spreads trust over a large number of people. Computer voting concentrates it in the hands of a very small technically adept priesthood, much easier to buy off or intimidate. I'm the first to geek out about some cool new method of using crypto, but I've come to realise that as much enthusiasm I have for the technology, I'm not really comfortable trusting the election of my government to it because it's so easy to subvert.

  15. Re:Could it be Micro$oft ... by MojoMagic · · Score: 3, Informative

    Indeed you are correct. See my above reply to 'gronofer'. I mis-understood the original article. I worked on a related but separate system. I apologise for misleading you, even though it was unintentional.

    The details of where you voted, when you voted and the type of your vote are attached to your ID. But, WHO you actually voted for remains completely anonymous... So don't fret. :)

    My system was used (among other things) to determine if/when/how a given person attempted to vote more than once. The funny thing is a significant proportion of these offenders turn out to be elderly people who simply 'forgot' that they had already voted. Seriously.

  16. Voting machine study .. by lippydude · · Score: 2

    Executive Summary

    "There is insufficient evidence available to allow independent observers to state reliably whether the results declared in the May 2008 elections for the Mayor of London and the London Assembly are an accurate representation of voters’ intentions. Given these findings, the Open Rights Group (ORG) remains opposed to the introduction of e-counting in the United Kingdom, unless adopting ORG’s recommendations for increasing the transparency around e-counting can be proved cost effective."