My open proposal for solving the crisis of confidence in election results….

I think there’s an analagous argument against standards-driven computer systems in general. Allowing companies to sell whatever they want enhances competition, but buyers, fearing lock-in, demand more and more standards compliance. We as customers of those systems decline to buy systems that (say) don’t speak TCP/IP. I think it is also perfectly reasonable to demand fully available source code.

I think that a vendor could reasonably prevent competition from servicing their machines on integrity grounds, even if everything is known about it. We might even make that a legally enforcable monopoly, for the security and integrity benefits. (Vendors might choose not to exercise it, believing that competition is good for their customers.)

What I want to try to figure out is how to balance disclosure and propriety. It’s clear that more disclosure is necessary. It’s clear to me that full disclosure to the public is a bit much given what we’re trying to acheive.

To wit: I had no degree, no publications, wasn’t working as a researcher of any sort. What’s more, at hacker cons, I meet a fair number of possibly up and coming researchers who meet that definition. Some of them have become well known and respected: ‘qualified’ even. They get there by doing research on important targets.

So, let me turn the question: Why is it important to restrict who gets source, and are there other ways to achieve those goals?

Is there a way of constructing “qualified” that would include you? Could you, for example, provide letters of recommendation that attested to your technical ability? (That paper you pointed to, especially if published in a peer-reviewed journal, would probably be sufficient).

I still think it’s important to restrict the number of people that get access to source code but ensure that the products of their analyses are available to all.

Also, while I didn’t have access to source code, I most definetly had access to code, and we did quite a bit of disassembly work.

I think that raising the transaction costs of evaluating source code is a mistake. There are lots of targets of interest, barriers will cause a great many people to look elsewhere.

Finally, I have no idea what you, or the vendors’ lawyers mean by “malicious intent.” If I submit a bug in a voting machine to bugtraq, is that malicious intent? Whatever you happen to mean, you’re adding stumbling blocks which analysts will worry about, and those analysts will go elsewhere. This has already happened with DMCA. I think its important to estimate the drop in the quality of analysis that would happen under various forms of such a proposal.

For sure, we’d want to make sure that people that could do such analysis as you demonstrate in that paper have access. You make a great point that can be more generally stated as: there is a spectrum from public availability of all details about a system to complete secrecy on which the probability of detecting a vulnerability varies as the number of eyeballs that could possibly look at the code. That is, the trick is to make sure you have enough interested and capable eyeballs to review code and to retain as much of a competitive edge that IP provides firms as possible (if it makes sense, which I think it does).

I think it’s important to reduce the number of people that have access to the source code to keep the voting systems market competitive. While one could say, “why are we worrying about competition?”, it’s important to remember that the market for voting systems is a tough place to do business and our increasingly efficient and capable electoral system requires these businesses to function.

I think, at a minimum (and I’m still working through this, so please post comments), there would have to be the following requirements:

* Each evaluator would have to enter into a standard agreement with the vendor that specified the licensing terms of the software and other things such as attesting that they wouldn’t do certain things (like create and sell databases of vulnerabilites with malicious intent, etc.).

* Vendors would have to agree to disavow any claims to trade secrecy in their software. (Trade secrets disappear when something is no longer secret.)

* Each evaluator would have to demonstrate some sort of qualification to evaluate the software. This could be as easy as having some certification (such as a degree) in computer science or another technical field.

* Each evaluator would have to agree to publish the results of their analysis publicly so that the general public received the benefit of the source code review. It would also help immensely to put the vendors on notice that secrecy in the name of the bottom-line is going to be phased out.

* There would need to be procedures for addressing what happens if a vulnerability is found in elections software close to an election in which it is to be used.

I disagree fairly strongly with your idea of selective disclosure to qualified individuals. My first paper was on ‘Apparent Weaknesses in the Security Dynamics Client Server Protocol. When I wrote it, I was in no publicly discernable way “qualified,” I was just someone who was interested in the system, and had the time to look at it. As far as I know, that work is still the most devastating one ever found against their product line. So I speak from experience when I say that the set of non-qualified examiners shouldn’t be excluded.

I see various issues with this neat VM idea. First, innovation; companies right now compete on services, equipment, software and features. How are companies going to set themselves apart from the rest of the pack if everyone’s using the same vanilla VM? Or do you see space in your idea for significant differentiation of the end result running on a common VM? One thing I’m sure you saw at the Alameda Co. demo was that each implementation was vastly different from each other… do you think that this kind of differentiation would be possible in your model?

The final issue I’ll mention is creation and maintenance of the VM. You say “A community of concerned citizens, election officials, programmers, and security experts could work together to develop and evolve the specification and implementation of the VM in an open process.” If we take the Open Voting Consortium as an example of an organization that has endeavored to produce an open source, commodity voting system, we see that making this kind of thing happen is not as easy as it would seem. Also, in terms of federal and state regulatory barriers, you’ll have to have the VM be a mandated requirement (all vendors write software for the VM that is tested in confidence) or there will have to be the option to do it the old way or this new way… and I don’t see these vendors willingly moving from a codebase that they’ve invested lots of resources into to this new VM concept.

I think you may be misunderstanding my use of the term “non-commercial.” I was using it in the specific sense of a Creative Commons license. See more below.

Who said anything about a non-commercial solution? I’m advocating for commercial solutions, with strong transparency into what is being used to evaluate and tabulate votes.

The Creative commons ‘non-commercial, attribution’ license is a copyright license that allows people to make non-commercial use of a work, while reserving all commercial rights. For example, if Ping licensed this blog under that license, you could quote freely from it on your blog, but not put the posts into a book and sell it.

Much the same way, the companies could distribute their code under such a license. It would be a copyright violation to use it commercially, but I could read it. They, being the copyright owner, could also use the code in a commercial setting.

I think we can have commercial companies, selling and supporting products, whose source code is available to the public for inspection.

On the other side of the transparency issue are the companies who have to sustain a profitable business making and selling these machines. They don’t want their source code to be released to the public. To succeed they have to compete — and how can a company maintain a competitive advantage if their competitors can just take and use their source code?

Releasing source code doesn’t make that source code usable by a competitor. It would be reasonable to use a license which is not an open source license to achieve the purposes of democratic oversight. Such a license would allow security and reliability analysis, but not reuse in other projects. Since all code has to come out under these sorts of terms, copyright infringement is easily discoverable. In fact, it seems to me that the non-commercial, attribution creative commons license may do precisely what everyone wants.

Even if it doesn’t, reliance on the implements of democracy is hugely important, as it is the source of government legitamacy. That’s worth fighting for.

Their competitive advantage is reduced, but not eliminated.

It is not always the most important thing to preserve competitive advantage.

I’d agree with both of these statements. I didn’t mean to imply i thought there was no competitive advantage left; i was only trying to illustrate why these companies want to keep their source code secret.

Also, your VM seems very high level to me. How does it differ from say, mandating the use of a certain underlying open source voting system?

Ballot designs. Each ballot is a program; the VM executes the ballot. What i have in mind is probably not as high-level as you are thinking. The companies can compete to make tools for designing and creating ballot programs. The compiled ballot programs (just like paper sample ballots) should be available to the public for testing and verification before the election. One of the advantages of a standard VM is that it lets ordinary citizens try out the ballots on their own computers.

And ensuring that the VM is standard among multiple jurisdictions sounds harder to me than going fully open source. What firm wants to build their product on a government-mandated closed-source VM?

I’m talking about an open-source VM here. I see this not as an alternative to open source but a step towards it.

I disagree with this premise. Their competitive advantage is reduced, but not eliminated. Linux software distributions share their source, and yet the companies still compete against each other and offer different advantages. The needs of various voting jurisdictions are varied enough that this could easily drive competition.

It is not always the most important thing to preserve competitive advantage. I’m sure lots of beverage companies would be more competitive if they didn’t have to disclose their ingredients. But the health and safety of the public are more important. So why does democracy go so cheaply?

Also, your VM seems very high level to me. How does it differ from say, mandating the use of a certain underlying open source voting system?

And ensuring that the VM is standard among multiple jurisdictions sounds harder to me than going fully open source. What firm wants to build their product on a government-mandated closed-source VM? Bug fixes, performance enhancements, and data model extensions would be impossible. They could compete better on a pure open source platform.