Source Code and Voting: what’s really on that machine?

Let’s say someone’s trying to sell you a house. It’s a beautiful house. You visit it. You have it inspected and re-inspected, and it’s perfect. You get a loan approved, and you’re about to sign the papers when you’re told: wait, actually, that house is no longer available, but why don’t you just sign here on the dotted line for the exact same house just down the street. Really, really it’s the exact same house, promised. Would you sign on the dotted line assuming your inspections of the first house have any bearing on this new house you’ve never seen?

Hold that thought.

These last few days saw a couple of fascinating announcements in the voting machine world:

• the Open-Source Digital Voting foundation released their open-source election system, and
• Sequoia, one of the established voting machine vendors, will disclose all of its source code, from voting machine to tallying system.

These are great developments. We need a clear principle: you cannot count elections in secret, and proprietary code means counting elections in secret. Disclosing source code is a great step towards transparency in election verification. Open-source from OSDV is also a great way to break the vendor lock-in on voting machines and enable true innovation in voter user-interfaces, end-to-end verification add-ons, etc. All in all, this is a hugely positive development, in particular the OSDV release.

But we also can’t fall for the hype: when I walk into the voting booth, how do I know that voting machine is running the same source code I verified from my home machine? Do my inspections of the released codebase have any bearing on the machine I’m about to use?

To be fair, yes, to a degree: the election officials’ job will likely include ensuring that the authorized code is properly installed. But….

• states and counties often customize voting machines for their specific needs. As any security guy will tell you, if you verify 99% of the code, from a security standpoint you’ve verified nothing at all. Who’s verifying all of the customizations?
• it’s very difficult to build hardware that will give you some indication that the software you installed on it wasn’t tampered with. Think rootkits/viruses for your desktop computer.
• even if no modifications are made, even if a truly trusted device is built and deployed, in the end, you still end up having to trust the election officials to do their job entirely correctly, because a corrupt open-source machine is no more reliable than a corrupt proprietary machine, and using today’s devices, it only takes one corrupt election official to corrupt a voting machine, open-source or not.

I understand that free software fans see this as a revolution in election trustworthiness. However, in the case of voting machines, while disclosing source code is an improvement, it’s not nearly the improvement that some are claiming. You might disagree, of course, and then maybe you would be willing to sign for that other house down the road, the one you never saw with you own eyes, the one that nobody you know inspected.