Electoral Commission bucks Senate on voting source code

Source code release could "leave the voting system open to hacking or manipulation"

The Australian Electoral Commission has refused a Senate order to reveal the underlying source code of the EasyCount software used to tabulate votes in upper house elections.

A motion moved by Greens Senator Lee Rhiannon on 10 July directed Special Minister of State Michael Ronaldson to table the source code as well as correspondence between Ronaldson's office and the AEC relating to a freedom of information request for the source code.

In October, following the fraught outcome of the Senate election in WA, Hobart lawyer Michael Cordover filed a freedom of information application with the AEC requesting the release of the source code and documentation of any data formats used by the software.

The AEC rejected the FOI application, citing section 45 of the FOI Act, which exempts "documents that disclose trade secrets".

Cordover appealed the AEC's decision, including earlier this year applying to the Office of the Information Commissioner for a review of the AEC's decision.

The OAIC revealed in June, however, that it would be unable to make a ruling on the appeal before the organisation ceases to operate under cost-saving measures announced by the government in the budget earlier this year.

Cordover launched an appeal on crowdfunding site Pozible to help pay for an appeal of the FOI decision at the Administrative Appeals Tribunal.

The upper house's motion required the code to be tabled by 15 July. However a letter (PDF) from Ronaldson to the clerk of the Senate, tabled yesterday in the upper house, stated that the government "will not table any documents or correspondence relating to Mr Cordover's FOI request or the source code for the Senate counting system."

The letter said that publication of the software "could leave the voting system open to hacking or manipulation.

"In addition, I am advised that the AEC classifies the relevant software as commercial-in-confidence as it also underpins the industrial and fee-for-service election counting systems," the letter states.

The letter said that it would not be "appropriate for the Government to comment further" on the issue because the FOI application is before the Administrative Appeals Tribunal.

Tags electionsAustralian Electoral Commission (AEC)open sourcesecurity

More about Administrative Appeals TribunalAustralian Electoral Commission

8 Comments

Derek

1

Seems like if Abbott can't buy the next election , he will simply steal it instead

Greg

2

@ Derek, have you ever worked on an election or know the process? This has nothing to do with Abbott or any politician. The issue is about revealing the source code for the computer software. Allowing the software to be handed to any one on an open slater would compromise the operating system. Also it is considered "trade in secret" and would allow other software developers the chance to copy or modify the software or hackers to find a way into the OS.
Just for the record my father was very high up in the AEC for many years and I have worked on the electoral system for 30 years.
An election is not a one day event, it takes many months after the election day to formally finish the vote / election. Also do not forget that anyone can easily apply to the court and have a recount if a vote is close and this also needs to be considered. Hence the WA recount and vote.
Also the AEC is a branch of the public service and independent of political parties to keep the integrity of the system in place, not like the USA where they have 40 systems to use for the presidential election and then the political parties are part of that system also.

Sean

3

Greg, I understand from your comment that you are something of an expert in this software, and that anyone with your knowledge of how votes are tallied would be able to modify the outcome of Australian federal elections?

John

4

"Allowing the software to be handed to any one on an open slater [sic] would compromise the operating system."

What you are saying is that the election is safeguarded by what is called "security by obscurity". Or in other words, rather than having the software open so that security researchers can point out its flaws, you leave the flaws in place and hope that nobody knows what they are.

People who rely on this method, are known in security circles as "blathering idiots", "damned fools", "corrupt officials hiding something", and various things like that.

It's the moral equivalent of giving all the paper ballots to one single pointy headed official, asking him to count them, and then believing whatever number he decides to cough up. That's what you expect in Cuba, and other dictatorships.

IDidntCodeThis

5

Most likely it's a half-arsed perl script with no comments in the code. It could be they are simply too embarrassed to release it.

If a FOI request for the source code is denied, a FOI request for documentation of the verification, validation, and testing of the software should be submitted.

Who cares about seeing the source code? I care that there is a high level of assurance that the whole implementation is correct. The whole implementation is deeper than the source code. It includes called libraries and the compiler. Anywhere a defect could deliberately or accidentally hide.

DB

6

"Allowing the software to be handed to any one on an open slater would compromise the operating system"
Errm no, open source software is amoung the most secure, due to many eyes being able to survey the code for flaw. Operating system also has nothing to do with it.

"Most likely it's a half-arsed perl script with no comments in the code. It could be they are simply too embarrassed to release it."
Doubt it. Government likes to use the horror the is Windows/Microsoft.. it'll likely be a half arsed application written in either .net or access.
Out of interest, what trade secret would a piece of software that shouldn't do any more the count votes, have that some basement hacker can't quickly whip up in python/perl etc..

Robert Brockway

7

I'm very disappointed to see the AEC engaging in security through obscurity. They should be made to come in to line with modern information security practices.

They should release the source code so that it can be widely audited ("given enough eyeballs, all bugs are shallow" - ASR). The correct time to do this is soon after an election to give sufficient time for the audit before the next election

Robert Brockway

8

That quote should be attributed to ESR sorry. Please excuse my finger memory.

Comments are now closed

Amazon vs. Google vs. Windows Azure: Cloud computing speed showdown

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]