A long form look on the Estonian iVoting experience and our thoughts on why it’s not feasible here at home.
Viewing entries tagged
The TrustTheVote Project of the Open Source Digital Voting (OSDV) Foundation achieved another important milestone two weeks ago this morning, this time with the District of Columbia Board of Elections and Ethics, although not without some controversy. The short of it is, and most important to us, the Foundation has been given the opportunity to put real open source elections software into a production environment for a real public election. But it turns out that milestone is struggling to remain visible. [Note: this is a much longer post than I would prefer, but the content is very important to explain a recent announcement and our role.]
I’ve waited to launch a discussion in this forum in order to let the flurry of commentaries calm on the news. Now we need to take the opportunity to speak in own voice, rather than the viewpoint of journalists and press releases, and provide insight and reality-checks from the authoritative source about what we're up to: Us. For those of you who have not read any of this news, here is a sample or two. The news is about the District of Columbia is implementing a Pilot program to digitally deliver ballot to a group of qualified overseas voters, and accept digitally returned ballots from them. (Actually, D.C. already has accepted digitally returned ballots via Fax and eMail.) So, the headline might be:
“District of Columbia to Launch Pilot Program to benefit Overseas & Military Voters with Digital Distance Balloting Solution Using Open Source Software from Non-Profit Voting Technology Group.”
I believe that is as simple and factual as it gets, and IMHO a fair headline. However, here are two alternative headlines, depending on your view, interests, or issues:
- “Open Source Voting Project Succeeds in Production Deployment of New Transparent and Freely Available Elections Technology.” -or-
- “OSDV Foundation Advances Misguided Cause of Internet Voting, Despite Well Settled Dangers, Putting Election Integrity at Risk.”
If you follow our work or have read our statement on these topics before, then you recognize the headline #1 is where our interests and intentions are focused. Over the past two weeks, though, we’ve received plenty of feedback that some believe that headline #2 is the real and unfortunate news, undermining the efforts of those who tirelessly work for elections integrity. Well, that is not what we intended to do. But we do need to do a better job at communicating our goals, as the facts unfold about the project. So, let me back up a bit and start an explanation of what we are really doing and what are real intentions are.
But first let me make the following statement, repeating for the record our position on Internet voting:
The Open Source Digital Voting Foundation does not advocate the general use of the public Internet for the transaction of voting data. The technical team of the TrustTheVote Project strongly cautions that no Internet-based system for casting, let alone counting, of ballots can be completely secure, nor can a voter’s privacy be ensured, or the secrecy of their ballot protected.
We do not recommend replacing current voting systems by adopting Internet Voting systems. However, we think that there may be a use case in which Internet-based ballot return may be the only course of last resort for rapid delivery of a ballot in time to be counted. That case is the very limited situation of an overseas or military voter who believes that they may be disenfranchised unless they rely on a digital means to return their marked ballot, because physical means are not timely or not available. That is the situation that we genuinely believe is being restrictively addressed in the D.C. Pilot project that we are participating.
And to be crystal clear: OSDV's role is supplying technology. The District's Board of Elections and Ethics is running the show, along withe the District's I.T. organization. But why did we chose this role? The success of the TrustTheVote Project is predicated on accomplishing three steps to delivering publicly owned audit-ready, transparent voting technology:
- Development; and
Design. We are employing a public process that engages a stakeholder community comprised of elections officials and experts. We cannot design on our own and expect what we come up with will be what will work. It is, and must be, a framework of technology components in order to be adoptable and adaptable to each jurisdiction that chooses to freely acquire and deploy the Project’s work. None of the TV Framework specifically addresses any transport means of ballot data. The Framework voting systems architecture includes accessible ballot marking ("ABM") devices, optical scanners for paper ballot marked by hand or ABM, and tabulators. The Framework elections management services architecture includes EMS components, poll books, and ballot design studio.
Development. We are employing an open source method and process, somewhat modified and similar in structure to how the Mozilla Foundation manages development of their open source software – with a core team that ensures development continuity and leadership, complemented by a team of paid and volunteer contributors. And the development has to be open, to go along with the open design process, and open testing, delivering on the commitment to building election technology that anyone can see, touch, and try. We’re developing for the four legs of integrity: accuracy, transparency, trust, and security.
Deployment. But “open source” at the Foundation is also about distribution for deployment. As we've said before, the OSDV Public License, based on our “cousin’s” license, the Mozilla Public License, meets the special needs of government licensee. And in so doing we avail the source code, and where required, resources (in exchange for a development grant to the Foundation) to make the necessary refinements and modifications to enable the adopting jurisdiction to actually deploy this open source technology. The deployment will generally be managed by a new type of commercial player in the elections technology sector: the systems integrator who will provide qualified commodity hardware, with the Project’s software, and the services to stand it up and integrate it with other jurisdiction’s IT infrastructure where required.
Motivation One critic has asked, “Why would you agree to support any project that uses the Internet in elections or voting?” Our motivation for working with the District of Columbia is all about the third “D” – Deployment. All of our efforts are merely academic, unless stakeholders who have contributed to the specifications actually adopt the resulting open source technology as an alternative to buying more proprietary elections technology, when the opportunity arises to replace or enhance their current solutions.
Now, what about that “Internet” element?
The District of Columbia Board of Elections & Ethics (B.O.E.E) was in search of a solution to enhance their compliance with the MOVE Act. Of course, people in many election jurisdictions were asking:
If I can deliver the blank ballot and reduce the cycle time for qualified overseas voters, then why shouldn’t we go all the way and facilitate digital return of the marked ballot?
Well, there’s a host of reasons why one shouldn’t do that. For one quick example: our valued strategic technology partner collaborating with us on data standards, the Overseas Vote Foundation, not only offers digital blank ballot delivery, but also have renewed their courier services through the assistance of the US Postal Service and FedEx to ensure that the Military voters' marked ballots can, in fact, make it back in time. But on the other hand, there is an unfortunate reality that once the digital path is open, OVF, US Mails, or FedEx notwithstanding, jurisdictions will explore leveraging the Net; its happening already in several locations. That does not make it right or preferable, but it does make it a reality that we need to address.
So, the District at least – at our encouragement dating back to March in Munich – heard our encouragement to explore options, but they did have some requirements.
Specifically, they wanted to conduct a Pilot of a solution that might be a better alternative to accepting returned marked ballots as eMail attachments or Faxed marked ballots exclusively for their overseas and military voters. And particularly unique to their requirements was – to our delight – a fully transparent open source software solution with unbridled ownership of the resulting source code for all elements of the Pilot solution. That, of course, is in complete harmony with our charter and mission.
Again, for those readers who know us, and understand our motivations and position on the Internet issue, you can understand our acute focus on the opportunity to deploy open source elections administration software in a real election setting. In the after-glow of this real possibility, and drilling into the details of how the ballot design studio could work for this, we realized we needed to get back to grappling with this digital ballot return detail of the Pilot project.
Initially, we were definitely concerned about how to approach this aspect of the Pilot, since we’ve been clear about our position on the use of the Internet. But to be frank, with the prospect that the District could simply turn to commercial proprietary Internet voting systems vendors, we felt we had to help find an alternative open source approach for the limited purpose of this Pilot. We encouraged the B.O.E.E. to find an alternative means to digitally return the ballot, but neither by deploying Internet voting products, nor by continuing to rely on Fax or eMail attachments in the clear. In return, they asked for our help in figuring out how they could implement a solution that worked with real ballot and attestation documents as digital artifacts, which could be transported on an encrypted channel. This could be better than eMail to be sure, but still using public packet-switched networks.
We turned to several of our technical advisers and convened a meeting to discuss how B.O.E.E and OCTO could approach a digital vote-by-mail Pilot to explore this approach to improving on eMail attachments or Fax’d returns. The meeting was frank, open, and rather than continuing the rhetoric of avoidance, we witnessed a bunch of stalwarts in information security express concerns, suggest points of mitigation, and brain storm on the possibilities. And several were kicked around, but tossed aside for want of either acceptable user experience, cost limitations, or operational practicality. A straw man solution was framed and members of the Core Team went off to refine it knowing that there were aspects that they simply could not address with this Pilot. Perhaps the most important Pilot parameter: this could not and would not be an exercise to completely assess and determine solutions to all of the known vulnerabilities of securing a voting transaction over a public network.
But it was agreed that a “digital vote-by-mail” process – with the known vulnerabilities and constraints – could be a “worked example” that simply was not what proprietary commercial vendors are selling. And, it was realized that such a solution could not and should not claim any victory in improved security or privacy – no such reality can exist in this solution.
And folks, that is simply and honestly the extent to which we were and are treating this: a “worked example” to serve as a vehicle for voices on all sides of the argument to train their attention in assessing, testing, and determining the viability of such an approach strictly for those overseas and military voters.
One could say the Foundation took a calculated risk: that in order to achieve the larger goal of deploying open source elections technology into a real production environment (a first, and hopefully ground breaking step), we would have to accept that our Stakeholder, B.O.E.E would use the Internet to transport a ballot and attestation document pair using the best possible techniques currently available – HTTPS and standard encryption tools. And at some measure, at least they had chosen not to pursue a commercial proprietary Internet voting solution, given their steadfast requirement of open source software and maximum transparency.
To my activist colleagues I offer this: we’re giving you a worked example on which to build your arguments against digital transport. Please do so! We're with you, believe it or not. Very frankly, I’d be happy to support some initiative to severely restrict the use of public packet switched networks for transacting voting data.
I want to (re)focus the Project's attention on the reason a few of us gave up our paying jobs some four years ago: to build a non-profit solution to restore trust in the computers used in the various processes of casting and counting votes. We don’t advocate iVoting. We do advocate accuracy, transparency, trust, and security in the use of computers in elections and intend to keep working on that open source framework. We do believe limited Pilots are worth it for the special use case of UOCAVA voters, if such a Pilot can fuel an intellectually honest debate and/or initiatives to resolve the concerns, or end the use of the Net altogether in this regard. We think the District of Columbia's Pilot is such a worked example.
OK, this went way over my intended length, but in the spirit of transparency its important we explain what’s been underway for the past several weeks from an authoritative source: Us. In the next installment on this topic, we will discuss more details on the technology we'll provide for the District's Pilot, and reiterate our concerns, but also consider the potential of the open source movement in public elections systems.
Thanks for reading. Greg Miller
Although he was talking in a very different context, I still think that Bruce Schneier's perspectives on worst-case thinking have relevance to us:
"Worst-case thinking means generally bad decision making for several reasons. First, it's only half of the cost-benefit equation. Every decision has costs and benefits, risks and rewards. By speculating about what can possibly go wrong, and then acting as if that is likely to happen, worst-case thinking focuses only on the extreme but improbable risks and does a poor job at assessing outcomes." (from Schneier on Security)
I recommend you read Bruce Schneier's perspectives on worst-case thinking, it's quite interesting, and you will see his second and third reasons why we need to be careful with worst-case thinking.