Open-source software runs huge swathes of the digital world, from big tech firms like IBM and Google to governments across the globe. Around two-thirds of companies with more than 10,000 employees across all industries use open-source software, with a further 11 percent planning to do so. A new project aims to expand open source’s reach even further: opening up the codebase of voting machines.
VotingWorks, a San Francisco-based nonprofit, wants to restore trust and faith in the electoral process while also battling the risk of election interference from hackers—many of whom are, increasingly, state-sponsored. The goal is ambitious: “We can have a publicly owned operating system for democracy,” says Ben Adida, VotingWorks’ cofounder, amid coughs, fighting off an early February cold. Adida, who previously worked for Mozilla, Square, and Clever, an education technology company, believes that VotingWorks—which was set up on November 6, 2018, U.S. Election Day—is needed now more than ever.
“Elections are a very special thing,” he says. “They’re the one thing that we all, in any given country, depend on to elect our leaders. Hopefully the one thing we still agree on is the notion of democracy itself. How we count votes and carry out elections should not be a privatized operation.”
In the United States, a handful of conglomerates have a stranglehold on the supply of electronic voting machines and technology for elections. A 2016 study by the University of Pennsylvania’s Wharton Public Policy Initiative found that the top three voting machine manufacturers covered 92 percent of the total eligible voting population—a position they’ve consolidated and strengthened over the last decade.
“[The United States] is the only country in the world that seems to feel the need to solve its election infrastructure problems without, you know, having bids and procurement processes,” says Joseph Lorenzo Hall, chief technologist at the nonprofit Center for Democracy & Technology (CDT) in Washington, D.C. “We rely on a free market to do this.”
That’s fine if you’re a large jurisdiction with a significant budget to woo voting machine manufacturers. You can call the shots and ask for changes to suit your needs. But there are more than 10,000 election administration jurisdictions across the United States, many of which handle a comparatively small number of voters. These jurisdictions have low leverage and, in some cases, zero choice. You pick the single voting machine manufacturer’s product or you don’t get a voting machine at all.
It’s an odd situation for election organizers and the voters casting their ballots, particularly for a process so crucial to democracy. Adida believes the public and their elected representatives must regain ownership of their voting technology—and make it dramatically transparent. He believes it so strongly that he quit his job to do it.
Hall had known Adida for many years. Adida graduated from MIT with a doctorate in cryptography and information security in 2006, a few years before Hall completed his own. The two ran in the same circles: Hall’s thesis was about existing voting machine security, and Adida’s was about building a new cryptographic voting system. They became friends, so when Adida called Hall up in the fall of 2018, it wasn’t unusual. But what Adida said to him on the phone was.
“He was like, ‘I’m thinking about quitting my job and building a voting machine,’” Hall remembers. “My first response was, ‘That is totally crazy.’”
Admittedly, Hall had misheard Adida—he thought his friend planned to build a voting machine in just two months. But when he learned more, Hall warmed to the idea. Now the CDT is helping to incubate Adida’s VotingWorks project, covering some of the overhead and providing tax-exempt status as a nonprofit. “I have an unfortunate amount of experience in nonprofit legal structures,” says Hall. “Long story short, CDT is now an open-source voting machine manufacturer until Ben is able to incubate his nonprofit into its own structure.”
The project, less than a year old, is still at an incredibly early stage, but Adida has help from an assistant and a handful of volunteers. Over a hundred others have signed up to offer support on the VotingWorks website, a number which has been a pleasant surprise to Adida. He’s still trying to decide how to put them to work.
“We figured when we launched this in November, right before the elections, that a few people would be interested in helping,” he says. “It’s really heartwarming to see the amount of energy out there to help address the issue.”
The problem—that three big manufacturers of closed-source voting systems have a grip on U.S. election technology—is multifaceted. Adida wants to wrest control from big companies looking to profit from the democratic process, but has a similar and equal ambition to ensure that that process is as transparent as possible.
Meanwhile, trust in elections has diminished. While 9 in 10 Republicans and Democrats say it’s important to have an election free from tampering, just 55 percent of Democratic voters and 62 percent of Republicans believe U.S. elections are free from it, according to a Pew Research Center poll. A separate poll by NPR and Marist has found that 38 percent of voters don’t believe elections in the United States are fair.
At the same time, state-sponsored interference in elections, often via hacking, is on the rise.
The Alliance for Securing Democracy alleges that since 2004, Russia has meddled in the elections of 27 different countries, including by hacking email accounts to release information that benefits one party over the other, launching massive cyberattacks that include distributed denial-of-service (DDoS) attacks designed to take voting systems offline, and funding ads on social media that support preferred candidates.
What do these allegations mean for the future of Adida’s open-source voting machine?
Open-source software is already used in many election-related applications. “Not necessarily voting, but more standard systems dealing with everything from voter registration and management of electoral systems to things like handling electronic polling books on election day,” says Steven Martin, senior advisor on new voting technologies at the Organization for Security and Co-operation in Europe’s Office for Democratic Institutions and Human Rights, which oversees elections.
And open-source voting systems have already been put to use. In 2015, certain eligible voters in the Australian province of New South Wales used an open-source voting system called iVote. More than 280,000 ballots (around 5 percent of all votes cast during the election) were processed by the system, though it came under criticism when an independent security analysis found “severe vulnerabilities that could be leveraged to manipulate votes, violate ballot privacy, and subvert the verification mechanism.” Still, the election was the biggest open-source voting experiment in history, compared to Norway’s 70,000-odd votes cast through open-source electronic systems in 2013 and Estonia’s more than 175,000 in 2015.
In Los Angeles County, officials have built what they call an open-source voting system, though its source code has yet to be made public. Los Angeles’s proprietary state-funded and state-developed software runs on hardware infrastructure owned by the county rather than by a private firm.
This relatively unusual state of affairs is due at least in part to the county’s status as a geographic and demographic outlier. For instance, the sheer number of registered voters in Los Angeles County—5,280,658 as of October 2018—made it difficult for the existing market to meet its requirements. In 2002, the Help America Vote Act disbursed around $4 billion to electoral districts nationwide to fund the purchase of new equipment. Hall estimates that Los Angeles County has between $60 million and $80 million of that pot. “They literally could not buy anything on the market that would meet the needs of their voters. They’re just too big.”
That meant the county had a significant sum sitting in their coffers (collecting interest—and quite a bit of dust) for years. By 2009, officials realized that if they couldn’t buy a solution, they would have to build one.
But why open source? “It can save costs in licensing fees,” says Martin. “Licensing can be quite expensive, and there are lots of other costs associated with it, from hardware support to human resources and so on.”
Moreover, while freely available source code may make it easier for bad actors to poke holes, radical transparency also means that white-hat hackers can find those same vulnerabilities and flag them to be fixed. “There’s a growing misconception that publishing source code is publishing the secrets that make things work,” says Martin. “That’s not necessarily the case if you have good software and coding techniques.”
The number of unknown vulnerabilities in closed-source code is likely enormous, Hall says. Worse, we know it exists in current closed-source voting machines. One University of Michigan computer science professor, J. Alex Halderman, has an annoying—but revelatory—habit of hacking into voting machines used in actual elections and making them do goofy things, like emulating Pac-Man or playing the Michigan fight song, to highlight the security gap.
With open-source software, to be forewarned allows you to be forearmed. “Ultimately, state actors are going to have access to the source code one way or another, if they want to,” Adida says.
It’s a principle that dates back to 1883, when Dutch cryptographer Auguste Kerckhoffs published an article on military ciphers containing an idea that would become known as Kerckhoffs’s Principle: “The design of a system should not require secrecy, and compromise of the system should not inconvenience the correspondents.”
It’s the same idea that keeps the Advanced Encryption Standard (AES), the main system used for encryption today, safe. Tools like AES, Adida says, are “developed in 10-year-long, radically open competitions where people are just banging away at them using very sophisticated tools before we pick one and say, ‘This is resilient.’”
Adida seeks the same level of scrutiny in developing his open-source voting machine. He plans to use preexisting consumer hardware, such as iPads, upon which to build strong security technology. (An iPad, after all, has already been tested by millions of users.) Then he’ll make his software available for the same kind of vetting. This is the great benefit of an open-source system, he says: “It’s out there for everybody to see, so it requires more focus and work. Your practices tend to be better.”
The OSCE’s Steven Martin sees this kind of transparency as an antidote for public distrust in the democratic process. “What has to be in place is demonstrated trust, not blind trust,” he says.
It’s also what Adida sees as the major benefit of his voting machine project. “What transparency provides is more than security. What it brings is accountability and trust.”
The VotingWorks source code will eventually be available on GitHub, its pull requests visible to everyone. Users will be able to “trace every line of code to whoever wrote it and whatever design decision was made,” says Adida. “That’s a level of transparency and reasoning that you just can’t get from a proprietary vendor, right?”
The key question, however, is when this new era of radical transparency in democracy will dawn. “We’ve only just started,” says Adida. “This is going to take many years.”
Still, 2020 is the target for Adida and his team of volunteers. “I hope we can have some modest impact then.”
Martin reckons that Adida will find an eager audience among election officials, monitors, and academics. “There is a growing belief that there are potential benefits to moving or utilizing open-source technology in the context of voting machines,” he says. But first, “we need to make sure we build the right thing, to make sure we’re working closely with election officials and voters, and to make sure we’re building the right product.”
After all, Adida says, “this is really important.”