1

Recently, I engaged in a discussion on what would be the most befitting model for a piece of software sitting on top of an electronic voting system i.e. being in charge of collecting and summarzing results, detecting any fraudulent actions etc. The question was whether such a solution would be ultimately safer (and more reliable) if its source code was fully available to the public, if it was closed-source (therefore ensuring some additional "security by obscurity") or maybe a hybrid approach?

I'd go for the first approach:

  • in my understanding, as long as we can ensure that the algorithms used are correct and safe it doesn't really matter whether the source code is publicly available
  • it is vital that voting system is fair and has no surface for backdoor access. Unless we fully trust the manufacturer, there is no way to ensure that, other than making the code available
  • profit motif is not involved and so, hindering the competition from stealing/sneaking on the solutions used is irrelevant

I'd love to know your thoughts on the topic. The only "real-life" example of an electronic voting system software is the one employed in Brazil which, as far as I know, it's considered very good and safe, even though it remains closed-source.

Pasato
  • 119
  • 2
  • 1
    "security by obscurity" does not exist. Voting software might not be the one which is best discussed in terms of security due to the other aspects of electronic voting like the ability of the public to monitored and understand the process and not just specialists. Either case, this question IMHO is more an opnion poll than a question which can be answered – planetmaker Feb 05 '23 at 15:12
  • I agree and realize there's no "correct" answer to this question, but I felt it was an appropriate place to pose it. I'd probably also add that, ideally, the voting process should be easily reproducible, like in the case of results described in research papers – Pasato Feb 05 '23 at 18:51
  • To a very real extent, you better hope that open source software is the right model because almost all those systems are running on Linux, and if the OS is compromised it doesn't matter what the source code says. On the other hand, they're also running on closed source processors. "On Trusting Trust" as always. – Philip Kendall Feb 05 '23 at 21:19

1 Answers1

3

It may be useful to distinguish two separate aspects:

  • software is Source Available if its source code is publicly available for inspection.
  • software is Open Source if it is possible to use, modify, and share the software for any purpose. Access to the source code is a necessary but not sufficient condition for that.

The purpose of election software is not only to correctly record and tally votes, but to foster confidence in the election process, e.g. by limiting opportunities for human mistakes and intervention, and by making voting more accessible. However, this requires that the voters have confidence in the software and hardware used for voting. Auditability of an election process is a core requirement.

To achieve that purpose, it is tremendously helpful for the voting software to be Source Available, so that it can be inspected by anyone. However, this purpose can be achieved without the software being truly Open Source.

My personal belief is that voting software which isn't even Source Available fails to achieve the purpose for such software, since the election process would be less auditable than with hand-counted ballots.

Keeping details of the election process private does not improve the security and integrity of the process. Consensus in the infosec community is that a scheme should remain secure when everything about it is public, other than cryptographic keys (→ Kerkhoff's Principle). This does not imply that details about a security architecture must always be volunteered to the public – there is marginal value in obscurity. However, full transparency does not compromise the security of a system (any more than it already is broken). Motivated bad actors will obtain access to the election software and will be able to analyze it, so one might as well make it Source Available to give the public an equal chance to analyze it.

Some Open Source advocates claim that “given enough eyeballs, all bugs are shallow” (→ Linus' Law, though coined by ESR). I.e., making Source Available (and Open Source so that bugs can be fixed and tested by anyone) would help eliminate security issues, more efficiently than would be possible in closed source systems. This doesn't quite seem to be the case in general-purpose software. However, it is a valid argument when there is substantial public interest in the software, in particular with election software.

amon
  • 38,880
  • 1
  • 86
  • 113
  • thank you for an extensive answer, great to learn about Kerhoff's principle and I do agree with all the points you've made. I'm curious about the claim that Linus Law doesn't hold in case of general-purpose software. can you name a specific example of that? I've always felt that "all bugs are shallow as everybody is looking..." is a bit of a strawman argument for open-source - it sounds appealing in a principle, but I believe, for the majority of projects, the only people who care enough to truly familiarize themselves with the code are their actual maintainers – Pasato Feb 05 '23 at 18:42
  • @Pasato Correct, many people could take a look, but most people aren't motivated to. The canonical example is the Heartbleed vulnerability in OpenSSL which was a fairly obvious mistake in retrospect, but for a long time no one took a look (and reported it – who knows which shady actors were actively exploiting it). And there was only like one underfundend maintainer for that internet-critical software at the time…. Election software does tend to attract decent attention though – I live in Germany where the Chaos Computer Club would enjoy the chance to break these supposedly-secure systems :) – amon Feb 05 '23 at 19:05