How To Ensure Trustworthy, Open Source Elections


From the perspective of voters, a trustworthy election is one in which they can be confident their votes have been counted as cast and their anonymity has been maintained.

Joe Kiniry is CEO and chief scientist at Free & Fair, a Galois spinoff focused on advancing secure, transparent elections technology. Daniel Zimmerman is a computer scientist at Free & Fair.

A strong democracy hinges not only on the right to vote but also on trustworthy elections and voting systems. Reports that Russia or others may seek to impact the upcoming U.S. presidential election—most recently, FBI evidence that foreign hackers targeted voter databases in Arizona and Illinois—has brought simmering concerns over the legitimacy of election results to a boil.    

From the perspective of voters, a trustworthy election is one in which they can be confident their votes have been counted as cast and their anonymity has been maintained. From the perspective of election officials, a trustworthy election is one in which they can be certain their voting equipment, voting systems and overall processes have functioned correctly from start to finish and the will of voters has been truly expressed.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

Open source software is computer software whose source code is made freely available to anyone who wants to use, study, enhance or re-distribute it for any reason. Jurisdictions can deploy open source software at very low cost, and security experts and the general public can evaluate its security and reliability.

Increasingly, influential jurisdictions are demanding products and systems built for them be open source. Three counties—Travis County, Texas (which includes Austin); Los Angeles County; and San Francisco City/County—are taking concrete steps toward deploying open source elections technology. The path from the status quo to trustworthy, open source election systems may seem daunting; however, it can be broken down into a series of small, common sense steps, each of which has a positive effect on current election systems and processes.

Step I: Audits, Testing and a Security Mindset

The first step is to consciously adopt a security mindset. This does not have to be a costly undertaking—it is more a shift in perspective. Work from the assumption that “bad guys” will try to hack systems and manipulate elections, and constantly seek ways to improve security within existing systems and processes.

An easy way to increase confidence in election results is to conduct risk-limiting audits. This is a straightforward process requiring relatively little resources or technology. Jurisdictions can conduct RLAs themselves, or qualified third parties can conduct RLAs on their behalf.

An RLA is essentially a random check of a relatively small number of ballots to determine whether the digital cast vote records in the system match their corresponding paper ballots. If an election is not extremely close, an RLA can statistically show whether the tabulated results are correct using a surprisingly small number of ballots.

To help quickly detect any technical issues that may arise on election day, jurisdictions should conduct parallel testing. This involves casting test ballots on a number of randomly selected voting stations under conditions that simulate actual election day usage. In such tests, the ballots used are known to the testers and can be compared to the recorded results.

If both parallel testing and a post-election RLA are conducted on the results it will provide great certainty whether anything has gone wrong with processes or equipment, all with very little expense.  And if something suspicious is detected, the audit results provide a starting point to further investigate, remedy and mitigate problems in the future.

Step II: Improve the RFP Process

Part of the reason trustworthy, open source election systems are not yet widely prevalent is that few jurisdictions specifically require them. Election vendors, in turn, create systems that only satisfy the requirements put forth by the jurisdictions. To break out of this vicious cycle, jurisdictions must improve the RFP process to gain greater flexibility and control when it comes to evaluating and adopting open source systems.

This means opening the bid process to greater competition; allowing for a modular implementation approach that provides far more flexibility and control through the use of open APIs and open data formats; securing evidence backing up claims of vendors that sell closed source, proprietary systems; and demanding price transparency and allowing for the use of commercial off-the-shelf hardware.

Step III: Ensure Trustworthiness and Transparency

If something does go wrong, whether a technical malfunction or the work of a bad guy determined to disrupt the election, election officials will still have to fix it. That may involve a labor-intensive manual recount or even an expensive re-run of an entire election, with accompanying public relations issues and potential loss of voter confidence in both the election outcome and the election system as a whole. Clearly, it would be better to have a trustworthy election system that prevents such problems, with reliable vendors who stand behind it long-term.

There are three critical ingredients to the realization of fully trustworthy and transparent systems and vendor relations. First is the use of transparent, open source solutions. Jurisdictions that purchase software from a vendor should have full access to, and ownership of, the source code and be able to freely modify the software to serve their own future needs and to hire other companies or individuals to carry out such modifications on their behalf.

Additionally, voters and other interested citizens should have full, immediate and unimpeded access to inspect, build, analyze, execute and benchmark the source code.

Second, high-assurance systems are built in such a way it is possible to prove with mathematical certainty they work precisely as intended and as designed. Only recently have they become powerful and affordable enough to produce large pieces of software like election systems, which means jurisdictions can now leverage high assurance techniques to provide evidence of election correctness and security.

Finally, for most physical infrastructure, such as bridges and buildings, architects and engineers can be held liable for design defects and any damages caused by such defects, and contractors can be held liable for defects in workmanship. For computing systems, however, the vast majority of vendors explicitly disavow any liability for defects or damages. This is unacceptable for critical systems, and election vendors should stand behind the systems they design and build just as architects and civil engineers do.

In the federal government, we often speak of “mission critical” systems, and the fact is democracy is a critical system in our country. Given its vital role underpinning democracy, voting must be conducted using high-assurance systems. By considering these steps, jurisdictions and election officials can ensure trustworthy, open source elections.