Australian Electoral Commission Refuses To Release Vote Counting Source Code 112
angry tapir writes: The Australian Electoral Commission has been fighting a freedom of information request to reveal the source code of the software it uses to calculate votes in elections for Australia's upper house of parliament. Not only has the AEC refused an FOI request (PDF) for the source code, but it has also refused an order from the Senate directing that the source code be produced. Apparently releasing the code could "leave the voting system open to hacking or manipulation."
Security (Score:5, Funny)
... through obscurity. What could possibly go wrong?
Re: (Score:2)
some pays the coders $$ so that they will win
Re:Security (Score:4, Insightful)
It's not just a matter of what could go wrong. It's a matter of what has already gone wrong. They've traded the possibility that a vulnerability will be used to compromise the system for the certainty that the system will be compromised from the get-go. The whole point of securing a system such as this one is to ensure the credibility of the results, but security (regardless of the variety) can't add credibility to something that never had it to begin with.
Re: (Score:2)
This gets scored "Funny". I think it's sad, very sad, that there's still people who think that keeping their source code a secret makes their software more secure.
Re: (Score:2)
Re:Could it be Micro$oft ... (Score:5, Informative)
Does the thing run only on Windoze 8 ?
Window anyway.
It's a VB6 program running on a single PC, supposedly for security reasons. The system is highly manual and failure prone enough that they're probably too embarrassed to release the code.
The system was developed internally by the AEC in 2001, when an upgrade to Windows 2000 rendered an existing COBOL-based application the commission was using to tally-up union elections incompatible with its standard operating environment. It was re-written as a Microsoft Visual Basic application and runs on Microsoft SQL.
http://www.itnews.com.au/News/... [itnews.com.au]
http://www.crikey.com.au/2013/... [crikey.com.au]
Re:Could it be Micro$oft ... (Score:5, Informative)
The article is very light on detail.
However, I'd like to clarify some incorrect, or at least out-dated, points in your post.
The AEC does use software for keeping track of votes.
But it was not written in VB6. Nor was it written in 2001.
How do I know this? Simple. I was on the team that wrote it.
I was on the project in 2012/2013, though the project has existed before and after that.
The AEC does/did have some legacy COBOL systems. But this isn't one of them.
I don't want to go into detail because a) it would be inappropriate and b) I don't know enough about the agency outside of the project to represent them adequately.
The software went partially-live during the last election to show that it worked and it met all milestones. It will likely see further use and development in the future.
Re: (Score:2)
Re: (Score:2)
So why do you think they are so strongly resisting the release of the code? It sounds l
Re: (Score:1)
First of all, I wrote the previous post at work and, in the chaos of my office I think I misread the original post.
I worked on the software that tracks when and where a person votes.
ie: You walk into a polling station, present your ID and then get given a ballot form. The system records the time, location and TYPE of vote against your ID and synchronises that to a central database in near real-time. It does NOT record WHO you voted for. I'm sorry that I gave that impression. My bad.
I am not familiar wit
Re: (Score:1)
First of all, I wrote the previous post at work and, in the chaos of my office I think I misread the original post.
I worked on the software that tracks when and where a person votes. ie: You walk into a polling station, present your ID and then get given a ballot form. The system records the time, location and TYPE of vote against your ID and synchronises that to a central database in near real-time. It does NOT record WHO you voted for. I'm sorry that I gave that impression. My bad.
I am not familiar with the software used to determine the outcome of votes. But, and this is speculation on my part, I can't imagine that it would be overly complex.
I'm honestly not sure why one wouldn't want to release the code. If nothing else, it might be nice to have a 'reference implementation' for a democratic vote tallying process. I assume a reasonable reason might be that it has not been audited for public consumption. Even a simple audit requires time and money. Both of which are in short supply at the AEC.
They could release pseudo code instead of machine code. That way we could be sure that the code works without having to reveal vulnerabilities to potential hackers. And if a hacker/black hat can leverage a problem found within the pseudo code then the whole thing should be rewritten.
Re: (Score:1)
How would the system assign votes to identities? The ballot papers are anonymous, and Australian elections are supposed to be a secret ballot.
Re: (Score:3, Informative)
Indeed you are correct. See my above reply to 'gronofer'. I mis-understood the original article. I worked on a related but separate system. I apologise for misleading you, even though it was unintentional.
The details of where you voted, when you voted and the type of your vote are attached to your ID. But, WHO you actually voted for remains completely anonymous... So don't fret. :)
My system was used (among other things) to determine if/when/how a given person attempted to vote more than once. The funny
Re: (Score:1)
I would be more interested in knowing the parameters and outcomes of the software.
Otherwise the code could be as simple as 1+n where n are all the prior votes counted.
Sounds too simple to be an issue so I assume it's got to be a lot more complex than that.
The electoral rolls are marked by hand in each polling place. Even if all sheets are scanned then checked later, it should be a no-brainer piece of code.
Re: (Score:2)
You know, they have a technique where I vote for making sure I don't accidentally vote twice. I sign the book when I get my ballot, and if I've already signed I know I've already voted.
Paper is wonderful for elections. It's understandable, impossible to manipulate globally, has fairly obvious security measures to try to stop local manipulation, and leaves a tangible record for audit and recount purposes. Add electronic tabulation to speed up the counting process, and what more could you want?
Re: (Score:2)
Re: (Score:2)
Probably missing something, but why do you need a sepereate system to track vote results> Could the system that tracks votes not just do a tally...
Hmmm, (Score:5, Insightful)
Makes me wonder who has access now and does not want competition?
Re:Hmmm, (Score:5, Insightful)
that is a myth, obscurity is a valid security mechanism, it just should not be the only one. good security uses all means available to delay, ward off or prevent security breaches.
Re:Hmmm, (Score:5, Insightful)
Security through obscurity might work for something like a power plant control system because we don't know the architecture of the hardware that it runs on, the operating system or if there is a third-party OS, the language it's written in, or even its name, and given the importance of the application it probably wouldn't be permanently Internet-connected, and if it needs to send out notifications it might communicate through a unidirectional RS232 link or something along those lines, or through a transmit-only fiber link (so that there's not even receive hardware on the platform). Certainly there would be some people that really want to break in, but it's exceedingly unlikely that they'll ever be in a position to do so.
Security through obscurity can also work when the system is not terribly important. I don't doubt that the Energy Management System controllers that interface the HVAC systems in commercial office buildings to the computer networks are garbage as far as their code is concerned, but there's not much someone can do with those in most cases. So even if there's ability, there's no real payoff, and the systems are so incredibly simple and underpowered that they'd make for poor intermediaries in a greater attack even.
By contrast, voting equipment is usually distributed widely and is not particularly heavily guarded, and as it needs to be inexpensive to produce in mass quantities it's often commodity hardware, off-the-shelf parts if you will, and there have been documented cases of electronic voting hardware have exposed and functional USB ports. As vote tallies are imortant it's not inconceivable that someone could borrow or steal a voting machine to figure out how it works and to find some way to mass-tamper with them, like distributing USB fobs to their fellows to use on them to load a package. In these cases, obscurity simply doesn't work because the system can't remain obscure.
Re: (Score:3)
Security through obscurity is an accident waiting to happen... When you talk about a system that noone would bother trying to hack, consider the bitcoin exchange mtgox - it started off as a simple site for trading game cards, and initially bitcoins had very little value - there was very little interest in hacking it. Then pretty much over night bitcoin exploded in value, making it a very tempting target indeed.
Also when you talk about a power plant system, a one way link is the security, not the obscurity a
Re: (Score:2)
That's a good argument for using obscurity as just one method in a much larger package, never by itself. If you don't mind me starting from your examples, I'd like to add that even in those examples it will only accomplish much, if anything at all, if the obscurity part is carried out consistently enough to add some value to the other methods. I'd say programming this tool up in VB is itself inconsistent with obscurity. People who find out it was written in VB can make a pretty informed guess as to what so
Re:Hmmm, (Score:5, Funny)
Wait a minute. You're saying pre-SP Windows XP isn't secure enough to be trusted as the basis for a country's democracy?
Now I've heard everything.
Re: (Score:3)
Security through obscurity might work for something like a power plant control system because we don't know the architecture of the hardware that it runs on, the operating system or if there is a third-party OS, the language it's written in, or even its name, and given the importance of the application it probably wouldn't be permanently Internet-connected, and if it needs to send out notifications it might communicate through a unidirectional RS232 link or something along those lines, or through a transmit-only fiber link (so that there's not even receive hardware on the platform).
Power companies don't develop bespoke security on their control systems (and would likely suck if they did). A particular power system most likely use off-the-shelf 1970s or '80s Siemens systems whose specs are widely known through the industry because of the decades of technicians who have worked on them.
For example: http://www.wired.com/2013/10/ics/ [wired.com]
Security through obscurity doesn't work because it relies on the security of your obscurity, and most of the time your obscurity is weak. Key-based crypto syst
Re: (Score:1)
Not in voting.
No matter how much real security you add, "we are not going to tell you how we count the votes, but rest assured that 90% of the votes did go to El Presidente" is a loud and clear mesage to the voters that they are living in a dictatorship.
transparency is the security mechanism (Score:2)
That only applies when transparency is not a competing security mechanism.
In this case, transparency protects from institutional and insider attacks on the system of self-governance. Obscurity simply protects the mechanism from observation. One must ask which is more important.
Re: (Score:1)
I'd also question whether the usual arguments against "security by obscurity" apply in a case where the software is being used "single shot" and infrequently, with massive potential impacts in the event of a breach. The software needs to work right, once, rather than almost right over a continuous period. Frankly it's a case where, gut reaction, I'd prefer the potential bad guys to have no opportunity to spot a potential vulnerability, rather than rely on the overall community spotting and exposing all such
Re: (Score:2)
I get the impression that security provided by obscurity is generally overrated by people who argue for security through obscurity. This can lead them to skimp on more robust security measures. Moreover, since the obscurity is generally not a problem for a determined attacker, you really do need good security other than obscurity for high-value targets (like election systems). Never rely on obscurity for security when you actually need security. If you can put obscurity into a sound system, go for it.
Re: (Score:2)
Re: (Score:2, Informative)
Australian senate elections don't use electronic voting machines to record elector's votes.
The AEC use this software to allocate preferences derived from the 'group voting ticket' ballots on pieces of paper (http://en.wikipedia.org/wiki/Group_voting_ticket)
Re: (Score:2)
Where I live, ballots are large pieces of cardstock with the various questions printed on them, and the voter marks a line between two pre-printed lines (one with an arrowhead pointing at the answer it corresponds with) to indicate preference. The ballots go through the scanning machine and are then deposited into a box like a traditional hand-counted system. If elections are espe
Re: (Score:2)
The problem with printing out each vote on site becomes apparent when you look at the history of machine voting. Even punch-card machines (the completely non-electronic punch tables themselves, not the subsequent reader) become unusable during elections because of poor maintenance, lack of cleaning, age, bad design, etc.
With pre-printed forms, you know they are all correct (or all wrong) before the election. With on-site printing, the printers can run out of ink or paper, or jam, or smudge. And that prevent
Re: (Score:2)
As voting "irregularities" have been reported on over the years, I've wondered about the possibility of generating ballots on-the-fly. It would be really convenient if one could vote at any polling station in the county or state by simply presenting one's ID and having a ballot for one's various districts generated, so if one's local polling places are overwhelmed or if one wants to vote close to one's workplace one could use
Re: (Score:2)
Well, I'd argue pen, paper, hand count, not pencil, but your point still holds.
Pens in voting booths run out without showing an obvious external sign, you have to test them continuously, one at a time, for the whole day. Pencils in booths can be easily checked by sight at walking pace whether they are blunt without touching them. Much quicker. Also pencils tips don't dry out.
Your concern, I'm guessing, is someone rubbing out the pencil and changing other people's vote? Soft graphite on thin cheap matte paper can't be easily erased without leaving marks or ripping the paper. The marks
Re: (Score:2)
Re: (Score:2)
the receipts would need to be anonymous and hence not signed.
unless of course you really want to change how the anonymous, non-sellable non-bullyable voting works in most free countries.
but is this a voting machine or a program used to tally up all the votes from the districts? which could be done with an excel sheet or manual quite easily.
Re: (Score:1)
These aren't electronic voting machines. This is a single computer in the AEC office which is given a table of preferences, a human operator then hand-enters the first-preference totals for each candidate in each seat involved in the election, and the program then uses the second-, third-, etc.-preferences to determine the overall winner. The process is then repeated with a second human operator and any differences are reconciled manually.
That said, the AEC's "trade secret" excuse is bullshit. It's a standa
Re: (Score:2)
I firmly believe that all electronic voting machines should have full source code released and receipts that should be printed and signed by the voter and placed in a box next to the machine in case of recounts or verification questions.
The system in the article is about counting the pieces of paper we manually write our votes on, because we use a preference voting system (instant run off), if your #1 candidate gets eliminated, your vote gets reassigned to your #2 candidate. In the Senate, there's also a seat-quota system, where preferences simultaneously flow "down" as well as "up", so it's difficult to give the quick result that everyone wants on election night.
The AEC trialled actual electronic voting in one Australian territory, ACT, b
Re: (Score:2)
They don't understand how it works, therefore they're afraid of it.
Don't assume malice when you're simply facing incompetence.
Re: (Score:2)
They don't understand how it works, therefore they're afraid of it.
That also applies to 90% of the comments in this post. (Or indeed, 90% of comments on Slashdot, full stop.)
That's also probably a better justification for opening source code and design documentation than the usual "obscurity != security" nerd rage. There's less to fear when the lights are on.
of-course (Score:5, Insightful)
it's not those who cast the votes, it's those who tally them up that count.
Re: (Score:3, Funny)
In other words, it's those who count that count.
This is complete crap!!! (Score:5, Informative)
It's software to tally it up. There's always a paper backup. As an Australian, this worries me.
While our senate voting system is a little odd, adding up the votes isn't simple and can't be done on election night, so it's no surprise to see software being used to calculate it, but with that said, all it has to do is do a number of rounds as candidates reach their quota, and when no one has a quota in that it eliminates the last candidate and moves the preferences accordingly. Our last election, there was even an instance of ~2000 ballot papers going missing, and then supposedly resurfacing much later. The High Court decided on another election for the state involved, which in my opinion is the only fair outcome possible.
If they're worried about hacking it, it's a complete farce; there's no reason why the computer doing the sums even has to be connected to the internet, seeing as I think all the ballots are counted by people (they're farcically large ballots often described as table cloths), they just plod in a few numbers as the data comes in. Someone must be worried that competent, impartial people will have a look and find something which has been giving out porky pies.
Re:This is complete crap!!! (Score:5, Insightful)
Should have finished reading the article, this bit at the end is probably the truth;
"In addition, I am advised that the AEC classifies the relevant software as commercial-in-confidence as it also underpins the industrial and fee-for-service election counting systems,"
What's probably happening is that some "IT" company whose only client is the government/AEC probably makes a fairly decent earn out of licensing out the software and supporting it during elections. There's a fair bit of corruption like this in Australia, and I am starting to think that someones taxpayer subsidised livelihood is at stake here. Reality is this should always have been open source software and probably available on the AEC website for anyone to download and try out with the full set of figures that are counted.
Re: (Score:2)
Orders for production of documents are among the most significant procedures available to the Senate to deal with matters of public interest giving rise to questions of ministerial accountability. It is open to the Senate to treat a refusal to table documents as a contempt of the Senate. In cases of government refusal without due cause, however, the Senate has preferred political remedies. In extreme cases the Senate, to punish the government for not producing a document, could resort to more drastic measures than censure of the government, such as refusing to consider government legislation. (See also Chapter 19, Relations with the Executive Government, under Remedies against executive refusal of information.)
Lets hope that they continue to pressure the government for this information. The rest of the voting process is open, why not the counting software? Or at least easy access to the raw data, so members of the public can analyse it themselves.
Re:This is complete crap!!! (Score:5, Interesting)
We know actually that the software is developed in-house. The AEC does earn some money from licensing the software to other electoral commissions and from using it in union ballots etc.
However, I argue [mjec.net] [pdf] that the code used for counting the Senate could be released, because no other election operates that way. What's more I don't think the AEC's competitive edge in the world of elections comes from their great software.
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
If they're worried about hacking it, it's a complete farce; there's no reason why the computer doing the sums even has to be connected to the internet, seeing as I think all the ballots are counted by people (they're farcically large ballots often described as table cloths), they just plod in a few numbers as the data comes in. Someone must be worried that competent, impartial people will have a look and find something which has been giving out porky pies.
They said "hacking or manipulation", they mean that there are potentially bugs which could be triggered by malicious input. The computer doing the tally is not connected to the internet. This is a bit alarmist and they have only tried playing the card recently, the AEC seems to be getting desperate.
The real reason is the other one that they offered, "underpins the industrial and fee-for-service election counting systems". The AEC makes a fair bit of money running elections private organisations and other
Nothing to see here, move along. (Score:5, Funny)
This is ridiculous. The Australian government has already sent the software to Russia for peer review, and they determined that it worked perfectly during the Crimean referendum.
I see no reason why the code should be further made public.It could only lead to compromise.
GrpA
Re: (Score:2)
Surely they wouldn't use the services of a country as untrustworthy as Russia! I have confidence that they'll send it to a legitimate democracy for review, like their close ally [smh.com.au] Sri Lanka.
Re: (Score:1)
>A system that few know is far more secure than an open one.
This is very wrong, though it is a common misconception. But, since the system in question is dealing with the fate of a country it also dangerously wrong.
The ramifications of a security leak for this software would (surprisingly) be almost nil; politics is a game played by players and if the numbers don't suit what they want then they make them up.
Almost certainly, the reason the info isn't being released is because the software was done by a p
Re:Security by obscurity (Score:4, Interesting)
Actually it's easier to mess with paper ballots. Messing with software leaves a trail.
I) Messing with software doesn't necessarily leave a trail. For example, a system by which your votes are tallied and the results placed in a file on an SD card for collation in a central location, relying purely on security by obscurity, means that you could mess with the data file in transit and no-one would be any the wiser.
II) It's easier to mess with paper ballots, principally because comptuer systems are understood by fewer people than slips of paper. For precisely the same reason, it's much harder to audit voting systems involving computers. Widespread fraud in paper voting systems is difficult to pull off, because the manual nature requires a lot of observers, and most people can understand handling votes in a trustworthy manner. Voting systems based on computers can be manipulated by a single agent, often without a trace. And the pool of people capable of auditing them shrinks the more complex you make them - mickey-mouse ciphers included.
Paper voting spreads trust over a large number of people. Computer voting concentrates it in the hands of a very small technically adept priesthood, much easier to buy off or intimidate. I'm the first to geek out about some cool new method of using crypto, but I've come to realise that as much enthusiasm I have for the technology, I'm not really comfortable trusting the election of my government to it because it's so easy to subvert.
Re: (Score:2)
One way of putting #2 is that it's easier to mess with paper ballots, but harder to mess with a lot of them and get away with it. If you want to change 100,000 paper votes, a lot of people are going to have to be in on it.
Re: (Score:2)
True, but I think old Doc Barnowl actually just out a word.
II) It's easier to mess with than paper ballots,
Re: (Score:2)
Or I just misread it. D'oh.
Re: (Score:2)
Interesting
What I was trying to point out is that private encryption can be much more secure than public.
obviously there needs to be oversight.
A carefully managed system with a private encryption system can be very safe, and far less costly than an open one. But it does mean you can't publish the code.
Given the recent heartbleed issue. How secure is open source?
Re: (Score:2)
It's true that there is no difference in security between
* A closed source, perfect, crypto component
* An open source, perfect, crypto component
If it's perfectly secure, the privacy of the source code makes no technical difference.
private encryption can be much more secure than public
As above, if the security of your solution is perfect, privacy makes no difference - public can be much more secure than private.
The privacy of your solution DOES make a difference to other factors.
* Trust
People are more inclined to trust something they can inspect. If someone say
Uh oh (Score:1)
Take a note from encryption (Score:3, Insightful)
If your software isn't secure when your source is open, it isn't secure when it's closed. Either it's secure or it's not, but if part of maintaining that security is keeping the source under wraps, your not thinking about security properly. You wont find encryption software claiming that by keeping it souce closed it is increasing it's resilience. If your code can't stand up to scrutiny, then you probably shouldn't be using it,
Re: (Score:2)
There's plenty of people who don't understand this.
You wont find encryption software claiming that by keeping it souce closed it is increasing it's resilience. If your code can't stand up to scrutiny, then you probably shouldn't be using it,
Plenty of people prefectl
Of course they can't. (Score:3)
Re: (Score:2)
Simple fix (Score:1)
Then vote to have it released
Re: (Score:1)
I for one welcome the rise of the Recursion Party.
Flawed vote tallying code (Score:5, Insightful)
Apparently releasing the code could "leave the voting system open to hacking or manipulation."
Maybe they just shouldn't have used code that they know or expect to have vulnerabilities. Open it up to the public; there are plenty of people who will look at it and help fix it.
It's fair enough (Score:2)
"The AEC rejected the FOI application, citing section 45 of the FOI Act, which exempts "documents that disclose trade secrets"."
You don't expect that trade secrets should be made public, do you? Look the code is not open source and is valuable intellectual property... so I hope I don't get my ass sued off for revealing it here:
int voteCount = votes.Count();
Not surprising (Score:1)
Aussie here, posting anon because I work for the Gov.
Honestly there's nothing too surprising about this. Australia is very pro-proprietary it would seem in terms of software and formats. We love using Microsoft products everywhere and Linux is never seen on a desktop, and barely outside of a server room (not including phones of course - we're not too bad in Android use). For the most part, there's no real push for openness or freedom of code as there is particularly in many European countries. I wish it wer
Incomplete quote (Score:2)
Apparently releasing the code could "leave the voting system open to hacking or manipulation by the wrong people."
Corruption (Score:5, Insightful)
So what the AEC is saying is that the election is safeguarded by what is called "security by obscurity". Or in other words, rather than having the software open so that security researchers can point out its flaws, you leave the flaws in place and hope that nobody knows what they are.
People who rely on this method, are known in security circles as "blathering idiots", "damned fools", "corrupt officials hiding something", and various things like that.
It's the moral equivalent of giving all the paper ballots to one single pointy headed official, asking him to count them, and then believing whatever number he decides to cough up. That's what you expect in Cuba, and other dictatorships.
Corruption (Score:2)
http://www.abc.net.au/news/201... [abc.net.au]
The complex Single Transferable Vote math has been used around the world for many, many years now in different forms. This rush to keep computer code is interesting.
Re: (Score:1)
Re: (Score:2)
Given the choice between "security through obscurity" and "security through thorough code review", I'd much prefer the latter. See also: Heartbleed.
Re: (Score:2)
You may not understand the system properly. Everything is still hand-counted and fed into the computer. Unfortunately the preferential voting system is complicated enough that for the senate vote you actually need a computer to figure out who won. The software is not software that is open up to mass public access like for instance a voting machine. It's in house software, developed in house and used in house by the AEC.
If you can't trust a member of the AEC not to tamper with the software then you can't tru
My perennial comment on this topic (Score:2)
Whenever the topic of whether or not the source code to voting machines should be inspected, I always point here: http://gaming.nv.gov/index.asp... [nv.gov] and ask: 1) What do you think would happen to your slot machine if you told those guys you weren't going to show them your source code? and 2) Why not let these guys look at the voting machines, too. Seems like a transferable skill.
open to hacking or manipulation (Score:2)
releasing the code could "leave the voting system open to hacking or manipulation."
In other words, any current or previous programmer in the development team could manipulate the vote results if one wanted to.
Any reasonable man would conclude that should be enough reason to stop using it.
Refused... Are you kidding me ? (Score:1)
Lets not get uppity here Americans.... (Score:2)
We have it no better here. 60 minutes did an expose` showing how with just a little bit of physical access to a voting machine (which majority party representatives have since they are 'responsible for checking the machines before elections) you can make any result you want come out of our electronic voting machines regardless of what the input was in the voting booth. There have only been 2 times in recorded history that the actual outcomes in a voting district severely varied from the actual results on
Only I can hack the vote says the government. (Score:1)
Voting machine study .. (Score:2)
"There is insufficient evidence available to allow independent observers to state reliably whether the results declared in the May 2008 elections for the Mayor of London and the London Assembly are an accurate representation of voters’ intentions. Given these findings, the Open Rights Group (ORG) remains opposed to the introduction of e-counting in the United Kingdom, unless adopting ORG’s recommendations for increasing the transparency around e-counting can be proved cost e
LIES!! (Score:1)
Software in Australia ... (Score:1)
I'm surprised there is any software to release given the mainly manual nature of our voting system. I'd be more concerned that the transposition from Paper ballots to Paper Tallies to a Computer might be inaccurate. More likely than the software organising the results would be flawed in my opinion.