Government's voting source code secrecy is dumb and dangerous

In one brief letter, the Australian government has shown that it's clueless about both technology and democracy.

Here's an idea for streamlining our national elections. Once people have voted, how about we scoop up all the ballot papers, put them into a big sack, and hand it to a group of masked strangers? They take the sack away somewhere — somewhere secret, so no-one can interfere with them — and some time later they return and just tell us who won.

I reckon it'd be cheaper and a lot less trouble for everyone than all this slow, manual counting in front of scrutineers, right?

No? Don't like it?

Well, boys and girls, given that the Australian government is refusing to show us the source code for the Australian Electoral Commissions's EasyCount software, that's pretty much exactly how your votes for the Senate are being counted right now.

Your Senate votes, the ones where you've carefully specified your preferences for dozens of candidates, go into the black box of EasyCount, magic happens, and out pops the result.

On the say-so of EasyCount's secret source, 360,000 lines of Visual Basic, some candidates get to sit on the red leather seats of the Senate chamber and make the nation's laws for the next six years, and all of the other candidates miss out.

The government's reasoning, if you can call it that, is contained in a letter (PDF) tabled by the Special Minister For State, Senator Michael Ronaldson, whose biography indicates that he was a provincial lawyer before climbing the political ladder from local councillor to local MP to Senate.

"I am advised that publication of the software could leave the voting system open to hacking or manipulation," Ronaldson wrote. "In addition, I am advised that the AEC classifies the relevant software as commercial-in-confidence as it also underpins the industrial and fee-for-service election counting systems."

That's a worry.

Could the vote-counting software really be so fragile? The many-eyes theory of software security has sometimes proved to be more of a religion than a science. Heartbleed, anyone? But the various bug bounty programs have shown that getting the public involved usually uncovers more and more subtle software flaws than any internal review team, who often can't see the forest for the trees.

Is the need to make a bit of money, less than $18 million a year according to the AEC's 2012-2013 annual report, really more important than giving us citizens the transparency and trust we need in our democratic processes? I'd happily pay my one dollar share to help rule out one key way in which an election could be mismanaged, or worse.

Dr Vanessa Teague from the University of Melbourne studies the cryptographic protocols used by electronic voting systems. She shares many of my concerns.

"We're talking about a program that implements a very subtle, complex algorithm. It's incredibly difficult to get all the details right. The question here is whether the code has some subtle bug that hasn't been noticed yet but which might one day make a difference to a very close Senate outcome," Teague told ZDNet by email.

"I think we should have as much scrutiny and discussion as early as we can, so we have the best possible chance of finding bugs, fixing them, and agreeing on all the details of a correctly implemented algorithm, rather than waiting until there's a dispute about the outcome of a particular election."

Now there's some transparency in the current process. The AEC does make the raw voting data available, one record for every vote cast, so independent researchers can double-check a particular answer in a particular election. As just one example, this kind of data has allowed the Australian Broadcasting Corporation's election specialist Antony Green to uncover clerical errors in the manual count of some New South Wales state elections in the early 20th century — although none would have changed the result.

"That's great. It's much better than no double-checking, but it doesn't prove that the AEC's algorithm will necessarily get the right answer every time," Teague said.

"If the public had access to the AEC's source code as well, they'd be able to make a much more comprehensive assessment of a much larger number of possible cases, before they arise in a real election. There would also be a chance for researchers such as Raj Goré at ANU to run formal verification and analysis of the code in order to identify more subtle bugs. Then if there was a dispute about whether the AEC's counting code had performed correctly in a close election, the AEC would have a much more solid argument for the code's correctness, based on much broader scrutiny."

As for the security and commercial sensitivity arguments, Teague is blunt. "They scarcely pass the giggle test," she said. The Victorian Electoral Commission and Australian Capital Territory Electoral Commission have both published a variety of source code — and in both cases it includes the key vote-counting code.

So why are Ronaldson and the AEC so keen to make access to their source code as difficult as possible? In my experience, secrecy more usually covers up incompetence rather than conspiracy.

I'm putting my money on EasyCount being an embarrassing tangle. Either way, such things should be exposed and dealt with, not covered up.


You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.
See All