Government's voting source code secrecy is dumb and dangerous

Government's voting source code secrecy is dumb and dangerous

Summary: In one brief letter, the Australian government has shown that it's clueless about both technology and democracy.


Here's an idea for streamlining our national elections. Once people have voted, how about we scoop up all the ballot papers, put them into a big sack, and hand it to a group of masked strangers? They take the sack away somewhere — somewhere secret, so no-one can interfere with them — and some time later they return and just tell us who won.

I reckon it'd be cheaper and a lot less trouble for everyone than all this slow, manual counting in front of scrutineers, right?

No? Don't like it?

Well, boys and girls, given that the Australian government is refusing to show us the source code for the Australian Electoral Commissions's EasyCount software, that's pretty much exactly how your votes for the Senate are being counted right now.

Your Senate votes, the ones where you've carefully specified your preferences for dozens of candidates, go into the black box of EasyCount, magic happens, and out pops the result.

On the say-so of EasyCount's secret source, 360,000 lines of Visual Basic, some candidates get to sit on the red leather seats of the Senate chamber and make the nation's laws for the next six years, and all of the other candidates miss out.

The government's reasoning, if you can call it that, is contained in a letter (PDF) tabled by the Special Minister For State, Senator Michael Ronaldson, whose biography indicates that he was a provincial lawyer before climbing the political ladder from local councillor to local MP to Senate.

"I am advised that publication of the software could leave the voting system open to hacking or manipulation," Ronaldson wrote. "In addition, I am advised that the AEC classifies the relevant software as commercial-in-confidence as it also underpins the industrial and fee-for-service election counting systems."

That's a worry.

Could the vote-counting software really be so fragile? The many-eyes theory of software security has sometimes proved to be more of a religion than a science. Heartbleed, anyone? But the various bug bounty programs have shown that getting the public involved usually uncovers more and more subtle software flaws than any internal review team, who often can't see the forest for the trees.

Is the need to make a bit of money, less than $18 million a year according to the AEC's 2012-2013 annual report, really more important than giving us citizens the transparency and trust we need in our democratic processes? I'd happily pay my one dollar share to help rule out one key way in which an election could be mismanaged, or worse.

Dr Vanessa Teague from the University of Melbourne studies the cryptographic protocols used by electronic voting systems. She shares many of my concerns.

"We're talking about a program that implements a very subtle, complex algorithm. It's incredibly difficult to get all the details right. The question here is whether the code has some subtle bug that hasn't been noticed yet but which might one day make a difference to a very close Senate outcome," Teague told ZDNet by email.

"I think we should have as much scrutiny and discussion as early as we can, so we have the best possible chance of finding bugs, fixing them, and agreeing on all the details of a correctly implemented algorithm, rather than waiting until there's a dispute about the outcome of a particular election."

Now there's some transparency in the current process. The AEC does make the raw voting data available, one record for every vote cast, so independent researchers can double-check a particular answer in a particular election. As just one example, this kind of data has allowed the Australian Broadcasting Corporation's election specialist Antony Green to uncover clerical errors in the manual count of some New South Wales state elections in the early 20th century — although none would have changed the result.

"That's great. It's much better than no double-checking, but it doesn't prove that the AEC's algorithm will necessarily get the right answer every time," Teague said.

"If the public had access to the AEC's source code as well, they'd be able to make a much more comprehensive assessment of a much larger number of possible cases, before they arise in a real election. There would also be a chance for researchers such as Raj Goré at ANU to run formal verification and analysis of the code in order to identify more subtle bugs. Then if there was a dispute about whether the AEC's counting code had performed correctly in a close election, the AEC would have a much more solid argument for the code's correctness, based on much broader scrutiny."

As for the security and commercial sensitivity arguments, Teague is blunt. "They scarcely pass the giggle test," she said. The Victorian Electoral Commission and Australian Capital Territory Electoral Commission have both published a variety of source code — and in both cases it includes the key vote-counting code.

So why are Ronaldson and the AEC so keen to make access to their source code as difficult as possible? In my experience, secrecy more usually covers up incompetence rather than conspiracy.

I'm putting my money on EasyCount being an embarrassing tangle. Either way, such things should be exposed and dealt with, not covered up.

Topics: Security, Government AU


Stilgherrian is a freelance journalist, commentator and podcaster interested in big-picture internet issues, especially security, cybercrime and hoovering up bulldust.

He studied computing science and linguistics before a wide-ranging media career and a stint at running an IT business. He can write iptables firewall rules, set a rabbit trap, clear a jam in an IBM model 026 card punch and mix a mean whiskey sour.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Algorithm

    Why are algorithms needed to sum counts in the first place? Sounds like BS to me...
    • STV is a lot more complicated than plurality voting

      So it actually makes sense to computerize the counting in that case (it's part of the cost of proportionality), though I think at least the first preferences should be counted by hand at the polling place. But algorithms are required to accurately count anything (anything more than the five the human mind is capable of comprehending directly); it's just that not all of require a computer to implement them.
      John L. Ries
      • And in any event...

        ...the actual combinations of votes should always be publicly available (just not the identifies of those who cast them).
        John L. Ries
  • The best choice is clear

    The best choice is the old choice. The good old scantron sheets have the lowest error rate and can be re-scanned by different systems with different software. All these other touch screens and such nonsense are just people trying to make money off it.
    Buster Friendly
  • Security through obscurity?

    It may work for one voter among 15 million, but it's not such a great plan for the vote-counting system.

    Let's just hope they haven't purchased any of the US software - I hear Florida still has some great "vote-counting" software from 2000.

    One wonders if the AEC has heard about open-source audit projects - for instance - or perhaps it just invented a new vote-counting algorithm that it wants to patent.
    • Florida's 2000 vote counting software

      The system was mechanical, not computerized; that's why hanging chads and overvotes were a problem. That said, I think the proper way to deal with overvoting in a plurality/majority system is to count all the votes; even if more were cast than there were seats to be filled (it's not like the voter is actually increasing his influence by voting for too many candidates).
      John L. Ries
  • Dumb and Dangerous

    Dumb and dangerous you say. The Coalition government? Dumb and dangerous. You are too kind.
    Dr. Ghostly
  • If we're not allowed to see the code ...

    ... then, as Stil says, our trust in the system can be minimal.

    At least the current vote counting system (with hundreds of different counters, assessing thousands of votes, under the eagle eyes of even more hundreds of scrutineers) is devolved enough so that it would probably be impossible for anyone or any body or party to abuse the process to manipulate the result in any coordinated form. Local fraud, or bias, or error may be possible ... but to affect the whole process without being detected would be effectively impossible.

    As the Florida debacle of a few years back, using the heavily suspect Diebold voting and counting machinery, the same cannot be said for automated systems. Unless the code is open to view, for assessment by trusted third parties, then the system simply cannot be trusted. Neither those who benefit from the electoral system (the politicians and their parties), not those who operate the electoral system (the AEC ... fresh from the WA Senate debacle) have shown they are worthy of our unconditional trust, and indeed any electoral system worth its salt should not rely on trusting those two groups blindly.

    Unless the code can be vetted and tested by experts and third parties ... why should we trust it? Especially for a process as needlessly complicated as the Australian Senate preferences in calculating the 'First Past the Post'.

    And if it can't be trusted ... why use it?
    Frank O'Connor
    • Actually

      The only complication in the system used to elect Australian Senators and Representatives I'd dump is "above the line" voting. Voters should decide for themselves how to rank candidates instead of allowing the parties to do it for them. Voting for parties is to me not acceptable as it makes MPs more accountable to their parties than to their constituents (bad enough that incumbent Representatives can be moved from district to district at the discretion of their parties); and plurality voting (what we do here in the states) artificially entrenches the two party system, which ends up being a one and a half party system in most Congressional districts.

      I have thought for a long time, though, that STV could be made simpler for the voters in multi-member constituencies (like Australian states) by eliminating the need to for voters to rank candidates; instead voters could choose as many candidates as they wanted and rankings would be determined by the number of people voting for each candidate. The result would be that the seats would end up going to the most popular candidates from each party, which would have the effect of discouraging mudslinging and hyperpartisanship (offending opposition and swing voters might well cost a candidate the election). Call it SAV (Single Allocated Vote).
      John L. Ries
  • Probably too embarrasing

    Like the recent disgracefully run elections, one could expect 360,000 lines of Visual Basic code are of a disgraceful quality, one may ask what people are paying for when they use it, and fresh eyes may see lots of unpleasant bugs.
    Visual Basic is used for prototype code, not proper systems, and if VB6, is way beyond obsolete and unsupported now.
    Here is the thing, take $2m from the $18m and get the thing straightened out by a few experienced developers.
    • Language is irrelevant...

      You might not like VB, but it does produce working applications. They might be clunky, they might be slow, but if the internal logic is correct, they will work. It could be written in GW BASIC, or FORTRAN 77 or Turbo Pascal for all it matters - as long as the logic is right.

      That's the problem - not that it's VB, but that no one can check that the internal logic used to convert votes to a completed count is actually correct.
  • So very wrong

    Long before this monster reared its ugly head, in light of the evidence presented that electronic voting in the u.s. was extremely easy to contaminate, I designed an entire protocol for national electronic voting.

    Rather than distributing all that cardboard and paper for the day, school and town libraries would be usurped for the day. There would be at least THREE companies answerable to the AEC producing OPEN source CDs of the Linux Live! version such that pretty much regardless of what hardware, and bypassing internal software, we would have a national voting network whereby each software version would also be trying to upstage all the others, exposing any faults that could be found.

    Unfortunately this would require a level of co-operation amongst politicians that is only ever seen when it comes to approving a pay rise for themselves.
  • counting preferences

    Hell let's keep it simple and do away with preferences. That's part of the problem to start with. A person votes for who they want in office and they are counted end of story. I personally would like to know that my vote went to who ever I voted for. The person with the most votes gets into office I have no idea who I'm voting for with preferences handed out to mates or some one I don't know.
    • That's Not The Type of Voting System That I Want

      What you're proposing is first-past-the-post and ensures that the most popular candidate wins.

      Our present system, preferential voting, is sometimes characterised as being that the least offensive candidate wins.

      I vote for not turning our electoral system on it's head.

      If you don't like the preferences chosen by your preferred candidate, get off your arse, find out about the candidates and write your own preferences - it's not that hard.

      This is also not a difficult problem to resolve - the AEC just need to get over their issues (and release the source code). They can use existing free-software if they wish (providing they adhere to the license conditions) and even modify it if they so desire.

      If the whole process costs more than AUD$1,000,000 then someone deserves to be shot
      Dr. Snipe
      • Re: That's Not The Type of Voting System That I Want

        "What you're proposing is first-past-the-post and ensures that the most popular candidate wins."

        Gee I thought that was the reason we even bothered to vote for the the most popular candidate to win! At least it would be the person or party we wanted to take the office.

        Why in the world would I want my vote to go to some one I don't want in charge?
        • Understanding the essence of the problem

          It seems that gduckett1 hasn't ever understood how preferential voting works - the whole system is designed to identify the most acceptable candidate to the majority of people.

          When I studied Computer Science, we were given the problem of designing software that would determine the outcome of simple preferential voting. Simple preferential voting is where multiple candidates stand but only one will be elected. This is different to how the Senate election works (where multiple candidates will be elected), but the general principle is still the same.

          Conceptually, the person who receives the most first-preference votes may not be the most acceptable candidate.

          Consider an imaginary situation where four candidates are standing for a position: Candidate A, Candidate B, Candidate C and Candidate D.

          Imagine also that Candidate A is popular with about 30% of the voters, while all the remaining 70% would rather see him dead. Consequently, all this 70% put Candidate A as their last preference.

          After the first round of votes, Candidate A has 30% of vote, and the others have 70% scattered between them and for the sake of this example, we have it that no-one has more than Candidate A.

          As no candidate now has more than 50% of the vote, the preferential system then eliminates the person who had the least number of primary votes, and distributes their second preferences. Let's assume this was Candidate D, leaving Candidates A, B and C still in the running.

          As none of the second preferences went to Candidate A, at least one, and possibly both, of Candidate B and Candidate C now have more votes than Candidate A.

          In the worst case scenario, Candidate B and Candidate C both have 35% of the vote, clearly showing that either of them is more acceptable to the voters-as-a-whole than Candidate A was.

          In other situations, where the second preferences of the eliminated candidate favoured one specific candidate, that favoured candidate may now have more than 50% of the vote, and so would then be the winning candidate.

          In any case, if the vote is still not decided, after the next elimination, Candidate A will still only have 30% of the vote and the other remaining candidate 70%.

          Once I had seen this example, I understood why we use preferential voting, and will never again support simple first-past-the-post. Until a candidate has 50% support, he *mustn't* be considered the most suitable.

          As pointed out by davemac-97028, this can also be interpreted that the least disliked candidate wins.
        • Why would your vote go for a candidate you don't support

          If you don't support the candidate, don't rank him.
          John L. Ries
    • The problem with that is... becomes all too easy for a candidate or party to win by dividing the opposition. In places like the UK and Canada, it only takes about 35-40% of the vote for a party to form the government; probably the only reason things haven't similarly splintered in the US is the system of direct primaries, which has lots of problems of its own (starting with the fact that it doubles the expense of campaigning, primaries are almost always decided by plurality vote, and in safe seats, the primary becomes the de facto election).

      If preferential voting is to be abolished in Australian federal elections, it should be replaced with a two-round majority system. But with 12 Senators per state elected at large, that's really only feasible for the House.
      John L. Ries
  • beatup

    This whole story sounds like a lefty beatup. Time to get over it. Every body gets another go in 2016.
  • That's 360,000

    Repeat, 360,000 lines of code.
    To verify the counting algorithm, the rules have first to be clarified and undersood in plain English through psuedo code or flowcharts/decision trees. I assume this is already done.
    Then, once understood, 360,000 lines of code have then to be verified against each counting rule.
    Thats a big job, and if 'researchers such as Raj Goré at ANU' want to take that on, then good luck.
    From personal experience, major financial institutions run at least 1.5 million lines of code for their core systems, all of which has been written on a 'we'll build that ship as it sails' basis by over 100 programmers stretching back 40 odd years. I've seen code block comments dated in the late 1960's. Any individual programmer is responsible for around 20,000 lines of code at most, any more than that and its a one way ticket to the laughing academy.
    You can imagine the sceptisim among programmers of the correctness of the code base they manage...and this has a direct impact on all of us from our bank and super accounts to telco and utility bills.
    Sure, it's worth raising a red flag, but I think the problem is more universal than just the senate preferential voting system.