A Case for Open Voting Systems
May 2008
Introduction
Elections in the United States have a surprisingly sordid past; vote buying, ballot fraud, voter intimidation, and bald-faced cheating appear to be the rule rather than exception to anyone acquainted with the history of American elections. If anything has changed about US elections in recent times, it is that elections have become more complicated. Electronic voting systems are being introduced to address many election difficulties, most notably in response to the millions of ballots disqualified in the 2000 presidential election due in large part to voter error. Unfortunately, at this moment, electronic voting systems present numerous challenges—in fact, electronic voting systems sometimes introduce more difficulties and offer less control than the systems they replace. The aspect of electronic voting I will focus on is whether electronic voting systems should be open or closed; whether scholars, experts, and your average voter should be allowed to scrutinize the underlying details of the systems being used, or whether these details should be kept secret by the companies that build, own, and operate these systems. I will begin by discussing the 2000 presidential election and the flaws in traditional voting systems uncovered by that election. I will go on to discuss Congress’s response to the 2000 election debacle—a bill funding the nation-wide implementation of electronic voting systems. I will provide details about two electronic voting systems, one which is open and one which is closed. After that, I will discuss Lawrence Lessig’s distinction between open and closed code, and his argument for why code should be open in certain, critical contexts. Finally, I will touch upon the issues of commerce and intellectual property that cause some to be concerned about the idea of open voting systems. My conclusion is that our societal interests of democratic government, fairness, honesty, and transparent regulation overwhelmingly favor open voting systems.
Motivations for Computerized Voting Systems
Few words describe the presidential election of 2000 better than “fiasco.” Now thought of as the model case for what could go wrong in a modern election, the contest between then Governor George W. Bush and Vice President Al Gore played out on the world stage, drawing attention to the failure of the United States to fulfill its promise of “one person, one vote.” What made the election a fiasco was not the fact that half of the eligible electorate chose to stay at home instead of going to designated polling places to vote (Campbell 284); it was not the embittered judicial battles that sought to repeatedly order or prevent recounts, or the fact that these battles made it seem as if the president would be determined by legal technicalities rather than by the will of the people; and it was not the mass voter disillusionment caused by the thousands of ballots that were declared valid one day, only to be declared invalid the next. The election was certainly not a fiasco due to the rampant bullying, vote buying, absentee ballot fraud, and disfranchisement of minority voters—these illicit practices are so commonplace in the American electoral system that even George Washington engaged in them (Campbell 280). The 2000 election was a fiasco because it revealed an embarrassing secret about the United States of America: the most powerful nation on earth could not count. The shining city upon a hill that fought off an empire, saved the world from fascism, and put the first man on the moon, became better known as the confused country where this was happening:
As the 2000 election drew to a close (or so everyone thought), it became obvious that the contest would boil down to the matter of who would win Florida’s 25 electoral votes:
One thing was for certain: Both [George W. Bush and Al Gore] desperately needed Florida’s twenty-five electoral votes. And in this regard, [Bush] was essentially playing on home turf. Bush’s brother, Jeb, had been elected governor of Florida in 1998, and a number of the state’s highest ranking officials were Republicans loyal to the Bush brothers. (Campbell 296)
Jeb Bush signed a letter that was sent as part of a $500,000 mailing campaign funded by the Florida GOP that ultimately persuaded 700,000 Floridians to vote “from the comfort of their own homes” via absentee ballots (Cambell 296). Despite the dubious legality of this campaign, it is important to note the demonstrated eagerness of voters for more convenient means of voting—means that do not involve journeying to public polling locations or using confusing voting machines.
Matching the egregious use of absentee ballots in infamy was Palm Beach County Supervisor of Elections Theresa LePore’s “butterfly ballot.” The butterfly ballot resulted from the delegation of the responsibility of designing the ballot to individual election officials, thus producing different ballot designs for individual counties and cities. LePore’s justification for her confusing ballot design was that she “hoped to accommodate the large number of candidates (ten party tickets were on the 2000 ballot) for president on a single page, as well as to accommodate a predominately elderly population who wanted larger type” (Campbell 299).
New words and phrases were added to our national vocabulary to facilitate discussion of the counting dilemma; hanging chad, dimpled chad, pregnant chad, trapdoor chad, dangling chad, and many similar terms flooded headlines and news broadcasts. These soundbite worthy terms allowed Americans to gab about the election debacle without confronting the frightening truth that the nation’s votes could not be counted in a consistent and reliable manner. As the court battles began and the news spotlight turned on the electoral system, many Americans saw for the first time that beneath the vote totals lay a chaotic conglomeration of disparate voting methods: votes cast by mail, votes cast by punch cards, votes cast by pulling levers, votes cast by touching screens, and, of course, votes cast by making confetti with felt-tipped pens. Many of these voting methods were antiquated, but some of the most notorious, including the butterfly ballot of Palm Beach County, were newly implemented but horribly conceived. At the same time, many Americans heard the words “electoral college” for the first time when they demanded an explanation for how a candidate could lose the election while receiving a greater portion of the popular vote.
Due to widespread voter error, ballot failure, and dramatically increased absentee voting, enough disturbances arose during the election to derail the normal voting process, necessitating the involvement of the judiciary. Tracy Campbell writes in Deliver the Vote that even if an election is not outright stolen using ballot stuffing, vote buying, or other tactics, it is enough for those who seek to steal an election to cause such disturbances in the the voting process that a sufficient number of results are contested, and the result of the election becomes a matter to be settled in court (307). This is to relocate the battleground for political power from the will of the electorate to the courtroom, where the outcome of the election can be swayed by argument and rhetoric. Concerning the matter of absentee ballots, even the rules and regulations of the US Postal Service were massaged by political agents to affect absentee ballot totals in a favorable manner. The nation witnessed a “count ‘till you win” attitude (Campbell 302) develop in Florida, with repeated recounts taking place, each time with slightly different legal technicalities put into play. No sooner would the new vote count favor a candidate than another recount would be demanded by the party of the opposing candidate.
Amid the recount arguments, the fact that 175,000 Floridians had their votes invalidated—a figure greater than the population of either Ft. Lauderdale or Tallahassee—never seemed to attract the appropriate concern or outrage. To statisticians, this was merely three percent of the total vote, which fell within the so-called “acceptable” levels. (Campbell 311)
Late overseas absentee ballots, combined with intense partisan counting of Election Day votes, ultimately gave Bush the infinitesimal margin by which he would secure Florida’s 25 electoral votes and the presidency (Campbell 310). The 2000 elections offered a demonstration that three percent of Florida’s total vote was overwhelmingly more than the margin needed to change the outcome of the election. As long as three percent ‘error’ is sufficient to affect the outcome of an election, and as long as three percent ‘error’ is considered acceptable, error and technicalities—not the will of the electorate—will remain the deciding factors in our elections. If we really wanted to count every vote accurately, surely we could. After all, affluent, white counties with updated, computerized voting equipment produced categorically fewer erroneous votes than Florida counties with older equipment (Campbell 312). At this point, America realized that its voting system was in need of a significant update—new equipment was needed to modernize the casting and counting of votes.
Shiny New Voting Systems
In response to the almost two million ballots disqualified in the 2000 election because they were cast incorrectly or they were unreadable by punch-card scanners, the U.S. Congress passed the Help America Vote Act of 2002 (HAVA) to improve the country’s voting equipment (Lovgren 1). One of HAVA’s stated objectives was to replace outdated punch-card machines by “improving, acquiring, leasing, modifying, or replacing voting systems and technology and methods for casting and counting votes” (Help 101). HAVA mandated that all lever-operating voting and punch-card scanning machines be replaced with new machines, and appropriated $3 billion (Help 257) to be paid over a period of three years to fund independent, state-by-state updates. Although most implementation details were left for individual states to decide, HAVA put forth a number of voting system standards that states would need to satisfy in their annual proposals in order to receive and continue to receive funding. The first two standards almost point a finger at the butterfly ballots and punch-card systems that caused so much chaos in Palm Beach County:
SEC. 301… VOTING SYSTEMS STANDARDS…
i. [the voting system shall] permit the voter to verify (in a private and independent manner) the votes selected by the voter on the ballot before the ballot is cast and counted;
ii. [the voting system shall] provide the voter with the opportunity (in a private and independent manner) to change the ballot or correct any error before the ballot is cast and counted (included the opportunity to correct the error through the issuance of a replacement ballot if the voter was otherwise unable to change the ballot or correct any error)… (Help 301)
The first standards listed clearly emphasize the voter verification and voter error issues that caused so much tumult in Palm Beach County. Many states have since implemented electronic voting systems pursuant to these standards.
I will briefly discuss two electronic voting systems: the first is the Premier Election Solutions (formerly Diebold) voting system as audited in the EVEREST: Evaluation and Validation of Election-Related Equipment, Standards and Testing report; and the second is the eVACS voting system by Software Improvements, as audited in a 2005 UC Davis security analysis. eVACS is an Australian voting system, but it is worth discussing here because it is a prominent open-source voting system.
The Premier/Diebold electronic voting system contains numerous components whose explication is beyond the scope of this paper. Components of particular interest include the AccuVote Touchscreen (AV-TSX), a touchscreen based voting device running Microsoft Windows CE and Premier’s BallotStation voting software (Blaze 108). The AV-TSX attaches to a paper printer to produce a printed receipt, or Voter Verifiable Paper Audit Trail (VVPAT), as mandated by HAVA. The EVEREST report describes how a machine such as the AV-TSX differs from traditional voting mechanisms:
Instead of entering their vote on paper, the voter uses a computer-based graphical user interface (GUI)… Once the voting machine is activated, it takes the voter through each contest and allows him or her to select candidates. DRE machines automatically forbid overvotes (too many votes cast in a contest) but optionally not undervotes (too few choices cast in a contest). The voter is then presented with an opportunity to review his ballot and then commits it (“casts” it), at which point it is recorded to local storage. (Blaze 13)
Premier also provides optical scan equipment for scanning paper ballots, which voters may choose to use instead of touchscreen machines; Premier’s optical scan ballot is filled out with a pencil, as punch cards are explicitly prohibited by HAVA (Blaze 109). In additional to Microsoft Windows and other software from disparate vendors used to control optical scanners and centralized vote tabulating machines, Premier’s voting machines and other system components use third-party software in an attempt to provide increased protection of ballots and election results (Blaze 111).
The EVEREST report concluded that the Premier system possessed critical failures in design and implementation that render it insufficient to guarantee a trustworthy election (Blaze 3). The design problems were centrally attributed to:
- Complexity - The Premier system is comprised of many components. The devices…run software built on many thousands of lines of source code developed in several different programming languages. Even under the best of circumstances, ensuring security in such a complex environment is exceptionally difficult…
- Security and Software Engineering Practices - Premier does not exhibit best security practices appropriate for high value systems. The apparent lack of detailed security requirements engineering and modeling, absence of security training, poor coding, failure to apply appropriate software testing and red-teaming has lead to [inordinate vulnerabilities].
- Reliance of COTS software - Much of the Premier system is built on commodity software such as the Windows operating system. Such systems have many vulnerabilities that are exploitable by an attacker. Moreover, these vulnerabilities are uncovered constantly, thus presenting nearly insurmountable problems in defending the voting equipment from an attacker (who may know about an exploit long before a patch exists to fix it). Such problems are not limited to the operating system–there are several third-party commercial software libraries upon which the systems are built. The evaluation teams did not have access to the source code of these libraries. (Blaze 117)
Many of these design flaws were known to be endemic to Premier/Diebold systems for some time before the EVEREST report, and Premier has sought to address many of its perceived security problems, yet it is obvious from the excerpt above that the critical failures in design and implementation that persist in Premier voting systems are inherent in the fundamental components upon which the voting system is built, and in the ad hoc manner in which these components are assembled. Proprietary components from disparate vendors are glued together by software that Premier produces, and none of these components was deemed sufficiently well-engineered or secure to function in a system that could produce trustworthy results.
The second electronic voting system I will discuss is eVACS (Electronic Voting and Counting System) by Software Improvements. eVACS was first used in 2001 for the Australian Capital Territory Legislative Assembly Election (eVACS 3), and has been successfully deployed for use in Australian Federal elections and other elections ever since (Success 1).
Australia developed and implemented eVACS while the public controversy about insecure voting machines in the United States ensued as a result of flaws encountered by voters using electronic systems, and academic papers…that pointed out serious vulnerabilities. The integrity of an election depends on the proper functionality of all its components. To that end, the voting software needs to be thoroughly tested and evaluated before it is used… [eVACS] was developed as an open source project so that the software is transparent and readily available to [scrutinizers], candidates, and any other interested parties. (Das 1)
Like the Premier system, eVACS includes touchscreen based voting devices and optical scanners for scanning paper ballots. Unlike the Premier system, eVACS is advertised as a transparent system; Software Improvements makes at least portions of eVACS client and server software source code available for public scrutiny under the GNU General Public License. eVACS runs on the GNU/Linux operating system and uses free and open source software components, providing a completely transparent electronic voting stack (eVACS 2).
The experts behind the EVEREST report, backed by the State of Ohio, had great difficulty obtaining source code and other equipment from Premier (Blaze 9); Premier failed to supply an adequate build environment in a timely manner, and since Premier’s voting software uses proprietary components supplied by other vendors, such as the Windows operating system and third-part security software, the EVEREST teams were not provided with the source to these components. eVACS stands in stark contrast to Premier in this respect: in a very short period of time, I was able to (1) acquire the source code1 to eVACS voting client and central vote-tabulating server software; (2) successfully build this software, which I was able to do by making only small changes to the source code; and (3) run the voting client software on my personal computer. In all fairness, I gathered the source code and necessary build files from an intermediate organization that had previously audited eVACS, but the fact that Software Improvements permits and even encourages their source code to be shared in this manner is what matters.
The UC Davis team that audited the eVACS system commended Software Improvements for avoiding common security flaws such as SQL injection vulnerabilities and user-exploitable buffer overflows (Das 6), which were discovered in abundance in the Premier system; on the other hand, the UC Davis team also expressed concern about deficient engineering practices leading to undocumented, fragile code that could be difficult to maintain (Das 7). The UC Davis team also mentioned a bug in the eVACS vote counting algorithm that was discovered by a previous audit; this bug was reported and, in a more recent audit, was found to be fixed (Das 3).
Clearly, opening the source of a voting system for public scrutiny is not a panacea. Software Improvements privately develops their voting software before releasing its source code, so poor engineering practices are only identified after the fact. Many independent teams were able to freely and easily obtain and scrutinize eVACS source code, and this scrutiny lead to the discovery of critical bugs that were subsequently fixed. As the old saying goes, better late than never.
Open Code, Closed Code, Regulation and Democracy
In Code 2.0, Lawrence Lessig makes the case that in certain important contexts, code and other facets of technology should be open in order to engender public trust in technologies that regulate important aspects of our lives, to reflect the democratic values of our society, and to limit the power held by companies and governments over people. Lessig offers two examples of technologies whose code should be open: the first example is government surveillance software, and the second example is electronic voting machines.
Throughout his book, Lessig discusses at great length the important differences between “East Coast Code,” the legal code preserved and decided in Washington D.C., and “West Coast Code,” the computer code produced by companies like Microsoft in Redmond, Washington. As high technology is increasingly employed by governments, West Coast Code has an increasing ability to regulate peoples’ lives in significant ways. Lessig discusses the “architecture” of West Coast Code, or the overarching system of values that code codifies:
Architecture is a kind of law: It determines what people can and cannot do. When commercial interests determine the architecture, they create a kind of privatized law. I am not against private enterprise; my strong presumption in most cases is to let the market produce. But isn’t it absolutely clear that there must be limits to this presumption? That public values are not exhausted by the sum of what IBM might desire? That what is good for America Online is not necessarily good for America? (Lessig 77)
Lessig argues that Adam Smith’s “invisible hand” threatens our society’s core values of liberty and openness, for at the moment, commercial interests, the driving forces behind West Coast Code, favor a particular kind of architecture that restricts freedoms and embodies secretiveness (Lessig 79):
By “kind” I mean to distinguish between two types of code: open and closed. By “open code” I mean code (both software and hardware) whose functionality is transparent at least to one knowledgeable about the technology. By “closed code,” I mean code (both software and hardware) whose functionality is opaque. One can guess what closed code is doing; and with enough opportunity to test, one might well reverse engineer it. But from the technology itself, there is no reasonable way to discern what that functionality of the technology is. (Lessig 139)
Closed code makes regulation invisible, thus interfering with the ordinary democratic process by which we hold regulators accountable. East Coast Code is open for public scrutiny and appeal, whereas West Coast Code, when it is closed, is a secret (Lessig 138). Thus, “if code regulates, then in at least some critical contexts, the kind of code that regulates is critically important” (Lessig 139).
Lessig discusses a critical context in which the kind of code that regulates matters: an election in which electronic voting machines are used to cast and count votes. After briefly discussing the 2000 fiasco, Lessig provides a dismal update by discussing electronic voting technologies deployed for the 2004 federal election. Lessig touches on voter anxiety about whether the machines are correctly tallying their votes, and qualms about whether centralized counting servers are accurately accounting for all votes:
The most extreme example of this anxiety was produced by the leading electronic voting company, Diebold (now Premier). In 2003, Diebold had been caught fudging the numbers associated with tests of its voting technology. Memos leaked to the public showed that Diebold’s management knew the machines were flawed and intentionally chose to hide that fact. (The company then sued students who had published these memos—for copyright infringement. The students won a countersuit against Diebold.) (Lessig 142)
Diebold subsequently refused to pursue contracts where open access to voting system code would be required, and Diebold’s chairman promised to “deliver Ohio” for George W. Bush in 2004 (Lessig 142). From this information, it is clear that without access to the source code, Diebold electronic voting systems could not reasonably be expected to produce trustworthy election results; the EVEREST team was given privileged access to Premier source code and was able to confirm these suspicions.
So, is it crucial that electronic voting systems be open? Do we hold Premier’s intellectual property claims in higher regard than the free expression of the will of our democratic commonwealth? Can closed West Coast Code co-regulate with East Coast Code in a healthy democracy? Or should government require that code, in certain crucial regulatory contexts, be open to preserve the values of freedom and openness codified in the Constitution, the “source code” of our nation?
Trust, Intellectual Property, and Election Integrity
Whether electronic voting systems should be open boils down to three points of contention: trust, intellectual property, and election integrity. I conclude my considerations for open voting system with some final words on these three points.
In a report produced through cooperation between Australian National University and Software Improvements, some pretty heavy questions are posed about the trustworthiness of open electronic voting systems, and whether this trustworthiness matters. These questions include “do election system producers need to make their source code available by default in order to ensure trust?”, and “what’s the point in exposing source code widely if [voters] already express trust or that they are apathetic about the election systems that they are required to use?” (Boughton 4). The report offers pragmatic reflections on the real value added by open voting systems in terms of this trust:
Making the source code for an election system public probably adds little value to ensuring trust. Most [voters] neither wish to, nor are capable of adequately scrutinising strangely expressed (computer) language even more foreign than legalese. To them the openness is immaterial. Of course those that might add value will be capable of closely scrutinising the source code and are probably more than likely wanting to prove that a system should not be trusted, rather than the opposite. (Boughton 4)
As Lessig points out, it is up to us to decide which values are most important to us, and whether those values or others should be embodied by the code that regulates our lives. It is also up to us to structure our government to make these decisions on our behalf. Clearly, trustworthiness, transparency, honesty, equality, and fairness are the better values that we strive to embody as a society, and therefore we must similarly strive to promote these values in the code that guides our society. It is especially important that the code that guides our elections, the primary means through which our government is made by the people and for the people, embody these values, or at the very least, not embody the opposite of these values.
The Boughton report goes on to address two primary concerns about open source voting systems: loss of intellectual property on behalf of the voting system supplier, and the potential for election fraud introduced by exposing the underlying system code.
Concerning the question of intellectual property loss, the report concludes that discovering stolen code among open voting systems in the relatively small electronic voting market would be a trivial task; that open source software licenses such as the GNU General Public License, as used by eVACS, offer sufficient protection of intellectual property under the circumstances; and last but not least, electronic voting software often contains very little valid intellectual property (Boughton 5).
There is a strong legal precedent supporting the argument that voter interests outweigh private companies’ intellectual property ownership claims. In 1992, campaign-free zones around polling places in Tennessee were reinstated after a high court ruled that “Tennessee’s compelling interests in preventing voter intimidation and election fraud outweighed any apparent encroachments upon the First Amendment” (Campbell 272). If Tennessee’s interests in protecting voters’ rights outweigh encroachments upon the First Amendment, it is reasonable to suppose that the same court would prioritize voters’ rights over encroachments upon any company’s intellectual property claims. Campaign-free zones around voting locations are commonly used to protect voters from the influences of avid, partisan supporters. The code which controls how the ballot is marked, recorded, and eventually counted, may also be imbued with partisan bias by a manufacturer with ulterior, political motives (recall the promise made by Diebold’s chairman). In the case of closed voting systems, it is nearly impossible to discover this codified bias.
Concerning the possibility of election fraud due to open voting systems, the Boughton report echoes my earlier comment that although open code offers “a degree of audibility and protection… it is usually not sufficient for the development of a truly high integrity system” (Boughton 5). Whether a voting system is open or closed does not directly make the system more or less susceptible to fraud. Fundamental technical choices must be made to ensure that electronic voting systems are secure.
Conclusion
The Help America Vote act mandated that federally funded voting systems should permit the voter to verify, in a private and independent manner, his or her vote; and that the voting system shall provide the opportunity, in a private and independent manner, to change the ballot or correct any ballot error (Help 301). As Lessig emphasizes, voters cannot possibly verify their votes simply by using an electronic voting machine; a voter can only reasonably be expected to be able to verify his or her vote in an private and independent manner if the voter has total access, unfettered by the coercion of intellectual property claims, to the entirety of the electronic voting system. This level of access requires—at the very least—that electronic voting systems be composed of open code. The UC Davis and Boughton reports made it clear, however, that openness is not the complete solution, because open systems can suffer the same engineering flaws and security vulnerabilities as their proprietary brethren. While many technical challenges must be resolved before the promise of electronic voting is delivered, we can make significant steps toward realizing the ideal of “one person, one vote” if we ensure that these systems are open and free from insidious secrets.
Works Cited
- Blaze, Matt and McDaniel, Patrick et al. EVEREST: Evaluation and Validation of Election-Related Equipment, Standards and Testin: Final Report. Pennsylvania State U., U. of Pennsylvania, 2007.
- Boughton, Clive, and Boughton, Carol. Credible Election Software – eVACS. Software Improvements, 2005.
- Campbell, Tracy. Deliver the Vote: A History of Election Fraud, and American Political Tradtion—1742-2004. New York: Carroll & Graf Pub., 2006.
- Das, Ananya, Niu, Yuan and Stegers, Till. Security Analysis of the eVACS Open-Source Voting System. UC Davis, 2005. 20 Apr. 2008 <wwwcif.cs.ucdavis.edu/~stegers>
- eVACS Success at the Australian Federal Election November 2007. Software Improvements. Nov. 2007. 29 Apr. 2008 <www.softimp.com.au/>
- eVACS; the Modular Electronic Elections System. Software Improvements. 2005.
- Help America Vote Act of 2002. Public law 107-252. 107th Congress. 28 April 2008. <frwebgate.access.gpo.gov/>
- Lessig, Lawrence. Code version 2.0. New York: Basic Books, 2006.
- Lovgren, Stefan. Are Electronic Voting Machines Reliable? National Geographic News. Nov. 2004. National Geographic. 8 April 2008 <news.nationalgeographic.com/news/>.