recommended reading

How To Ensure Trustworthy, Open Source Elections



By Joe Kiniry and Daniel Zimmerman September 29, 2016

recent posts

Joe Kiniry is CEO and chief scientist at Free & Fair, a Galois spinoff focused on advancing secure, transparent elections technology. Daniel Zimmerman is a computer scientist at Free & Fair.

A strong democracy hinges not only on the right to vote but also on trustworthy elections and voting systems. Reports that Russia or others may seek to impact the upcoming U.S. presidential election—most recently, FBI evidence that foreign hackers targeted voter databases in Arizona and Illinois—has brought simmering concerns over the legitimacy of election results to a boil.    

From the perspective of voters, a trustworthy election is one in which they can be confident their votes have been counted as cast and their anonymity has been maintained. From the perspective of election officials, a trustworthy election is one in which they can be certain their voting equipment, voting systems and overall processes have functioned correctly from start to finish and the will of voters has been truly expressed.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

Open source software is computer software whose source code is made freely available to anyone who wants to use, study, enhance or re-distribute it for any reason. Jurisdictions can deploy open source software at very low cost, and security experts and the general public can evaluate its security and reliability.

Increasingly, influential jurisdictions are demanding products and systems built for them be open source. Three counties—Travis County, Texas (which includes Austin); Los Angeles County; and San Francisco City/County—are taking concrete steps toward deploying open source elections technology. The path from the status quo to trustworthy, open source election systems may seem daunting; however, it can be broken down into a series of small, common sense steps, each of which has a positive effect on current election systems and processes.

Step I: Audits, Testing and a Security Mindset

The first step is to consciously adopt a security mindset. This does not have to be a costly undertaking—it is more a shift in perspective. Work from the assumption that “bad guys” will try to hack systems and manipulate elections, and constantly seek ways to improve security within existing systems and processes.

An easy way to increase confidence in election results is to conduct risk-limiting audits. This is a straightforward process requiring relatively little resources or technology. Jurisdictions can conduct RLAs themselves, or qualified third parties can conduct RLAs on their behalf.

An RLA is essentially a random check of a relatively small number of ballots to determine whether the digital cast vote records in the system match their corresponding paper ballots. If an election is not extremely close, an RLA can statistically show whether the tabulated results are correct using a surprisingly small number of ballots.

To help quickly detect any technical issues that may arise on election day, jurisdictions should conduct parallel testing. This involves casting test ballots on a number of randomly selected voting stations under conditions that simulate actual election day usage. In such tests, the ballots used are known to the testers and can be compared to the recorded results.

If both parallel testing and a post-election RLA are conducted on the results it will provide great certainty whether anything has gone wrong with processes or equipment, all with very little expense.  And if something suspicious is detected, the audit results provide a starting point to further investigate, remedy and mitigate problems in the future.

Step II: Improve the RFP Process

Part of the reason trustworthy, open source election systems are not yet widely prevalent is that few jurisdictions specifically require them. Election vendors, in turn, create systems that only satisfy the requirements put forth by the jurisdictions. To break out of this vicious cycle, jurisdictions must improve the RFP process to gain greater flexibility and control when it comes to evaluating and adopting open source systems.

This means opening the bid process to greater competition; allowing for a modular implementation approach that provides far more flexibility and control through the use of open APIs and open data formats; securing evidence backing up claims of vendors that sell closed source, proprietary systems; and demanding price transparency and allowing for the use of commercial off-the-shelf hardware.

Step III: Ensure Trustworthiness and Transparency

If something does go wrong, whether a technical malfunction or the work of a bad guy determined to disrupt the election, election officials will still have to fix it. That may involve a labor-intensive manual recount or even an expensive re-run of an entire election, with accompanying public relations issues and potential loss of voter confidence in both the election outcome and the election system as a whole. Clearly, it would be better to have a trustworthy election system that prevents such problems, with reliable vendors who stand behind it long-term.

There are three critical ingredients to the realization of fully trustworthy and transparent systems and vendor relations. First is the use of transparent, open source solutions. Jurisdictions that purchase software from a vendor should have full access to, and ownership of, the source code and be able to freely modify the software to serve their own future needs and to hire other companies or individuals to carry out such modifications on their behalf.

Additionally, voters and other interested citizens should have full, immediate and unimpeded access to inspect, build, analyze, execute and benchmark the source code.

Second, high-assurance systems are built in such a way it is possible to prove with mathematical certainty they work precisely as intended and as designed. Only recently have they become powerful and affordable enough to produce large pieces of software like election systems, which means jurisdictions can now leverage high assurance techniques to provide evidence of election correctness and security.

Finally, for most physical infrastructure, such as bridges and buildings, architects and engineers can be held liable for design defects and any damages caused by such defects, and contractors can be held liable for defects in workmanship. For computing systems, however, the vast majority of vendors explicitly disavow any liability for defects or damages. This is unacceptable for critical systems, and election vendors should stand behind the systems they design and build just as architects and civil engineers do.

In the federal government, we often speak of “mission critical” systems, and the fact is democracy is a critical system in our country. Given its vital role underpinning democracy, voting must be conducted using high-assurance systems. By considering these steps, jurisdictions and election officials can ensure trustworthy, open source elections.


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.


When you download a report, your information may be shared with the underwriters of that document.