Background

 

What is Open Source Software?

 

The term “open source software” generally refers to a computer program for which the source code is available to the public and is created, used, modified, and continually improved through an open and collaborative effort.  However, the degree to which the software is “open” can vary, and there’s an extremely wide spectrum of different strategies used to develop and license open source software.

 

The most well-known open source software is Linux, which is a computer operating system (as is Microsoft Windows).  Linux was created and has been continually improved since the early 1990’s by a worldwide community of volunteer software experts collaborating over the Internet. 

 

While open source advocates concede it’s impossible to create perfect software, they believe open source software is extremely reliable and trustworthy – because unlike its proprietary counterparts, open source software is developed and constantly improved through input from experts in an open, global community.  According to Linus’s Law, which was coined by Eric S. Raymond, a leading figure in the open source field, and named after Linux creator Linus Torvald, “Given enough eyeballs, all bugs are shallow.”  Linus’s Law means if you have a large community of experts reviewing the software, you can quickly identify and fix most computer software bugs and other problems.

In his essay “The Cathedral and the Bazaar,”  Raymond analogizes that “closed source,” or proprietary, software (such as Microsoft products) is like a cathedral, because only one company’s engineers have access to the source code for the software, and only that company can identify and fix bugs, viruses, security holes, and other weaknesses.  Therefore, problems take longer to solve, and the user is likely to end up paying to get the solution.  By contrast, open source software (such as Linux) is, according to Raymond, like a bazaar, because millions of people have access to the source code and can analyze it, identify problems, and propose fixes immediately using the Internet and a meticulous system of vetting ideas.

Bruce Perens, a major figure in the open source movement, has laid out the framework and general principles of the open source model, including free access, distribution, downloading, and modification of the source code that makes up a piece of software.  Different types of open source licenses allow more or less “openness” depending on the particular creators’ goals, providing different levels of flexibility for people to use, add, modify, and redistribute open source software (http://perens.com/Articles/OSD.html).  To clarify a common misconception, “modify” does not mean the original source code is modified by computer users who’ve identified a problem and found a way to fix it.  Rather, it means the code can be downloaded and modified for one’s own use or for others.  Any changes to the original source code are only made by the person, group, or company that licensed the code.

Many corporations now use open source software systems, including Bank of America, Amazon.com, America Online (AOL), DreamWorks, Charles Schwab, IBM, and Merrill Lynch, to name a few.  In recent years, federal and state agencies – including the state of Massachusetts – have begun to migrate some of their computer systems from proprietary to open source software.  Last September, California State Chief Information Officer Clark Kelso established an Open Source Working Group of information technology managers from ten different state departments.  Today’s hearing will include a discussion of the Department of Defense and the California Air Resources Board’s experiences in moving toward open source computer systems.

 

However, even open source advocates agree the open source model is not necessarily the right solution for every technology need.  The purpose of this hearing is to discuss the potential for using open source software in California’s voting systems and whether doing so will create more transparency, security, reliability and confidence in the electoral system.

 

Current Election Law

 

Federal law requires the Election Assistance Commission (EAC) to certify voting systems used in the U.S.  In addition, California law requires the Secretary of State to certify voting systems used in the state and to hold an exact copy of the source code for each certified voting system in escrow.  The Secretary of State has the authority to conduct an independent review of the source code for each voting system used in California.  However, because the voting systems used in California and the 49 other states are proprietary – that is, copyrighted by the companies that developed them – those source codes are held strictly confidential and out of the public’s view. 

While California law only requires voting software to be held in escrow for the Secretary of State’s review, a new North Carolina law requires voting system vendors to allow their source codes to be reviewed not only by the Secretary of State, but also by the state Board of Elections and the chairs of the state’s political parties.  The law is designed to help identify security flaws in voting systems.  Diebold refused to comply with the law on the grounds that its software is closed-source and proprietary. After losing a legal challenge to the North Carolina law, Diebold has chosen not to do business in North Carolina.

Current law does not specify whether voting systems must be proprietary or open source, so there’s nothing to prevent an open source system from being presented to the federal government and the Secretary of State for review and certification.  

Some open source advocates suggest it may be in the public’s best interest to require all voting software to be open source or at least be “disclosed” so the public can examine the code, help identify weaknesses and propose fixes, have visible proof of the software’s integrity, and ultimately have more confidence in the electoral system.  In fact, DeForest Soaries, the chairman of the EAC, has recommended that voting system vendors be required to release their source codes to the states under nondisclosure agreements, and that computer scientists in each state should review the software under the agreements.   

 

ACR 242 (Goldberg), Resolution 171, Statutes of 2004, asked the Secretary of State to investigate the possibility of using open source software in voting system technology.  The Secretary of State released a 16-page report  titled “Open Source Software in Voting Systems” on January 31, 2006, which recommended further research into whether open source software should be used for voting systems.

 

New Research

 

In 2005, the National Science Foundation (NSF) awarded a $7.5 million grant to a team of researchers from six institutions around the U.S. for a five-year study on how to design and build secure and reliable voting systems. The ACCURATE (A Center for Correct, Usable, Reliable, Auditable, and Transparent Elections) team includes Professor Avi Rubin of Johns Hopkins University (Director), Drs. Drew Dean and Peter Neumann of SRI, International, Professor Doug Jones of the University of Iowa, Professors Dan Wallach and Michael Byrne of Rice University, Professors Deirdre Mulligan and David Wagner of the University of California at Berkeley, and Professors Dan Boneh and David Dill at Stanford University. 

 

Part of ACCURATE’s research on voting technology will involve the study of open source voting systems.  According to ACCURATE, “As technology becomes more complex and elections become increasingly reliant upon technology it is necessary to consider what level of access, review, and openness of code is necessary to ensure that the standards, testing, and certification are capable of verifying an election technology’s ability to support election policies.” (emphasis added)  Several of ACCURATE’s team members will be participating in today’s hearing, as well as in this committee’s hearing on February 16, which will examine the federal testing and certification process for voting systems.

 

Purpose of the Hearing

 

The goals of today’s hearing are informational, and some of the questions the committee will look to explore are: 

• What is open source software and is there a single uniform definition or application?
• What companies and government agencies have moved from proprietary software systems to open source systems and why? 
• What are the components of any evaluation that a business or government agency must undertake in order to determine whether moving to open source makes sense?  
• What are the potential difficulties in using an open source model for computer systems that must be certified by federal and state government before they can be used and where all system upgrades and software patches must also first go through a government agency approval process before installation?
• What experiences have other states or countries had with using open source software in voting systems?
• What legal challenges does an open source standard present in terms of patent, copyright, trade secret law?  
• How would the market respond if an open source requirement were established for voting technology?
• How have companies that offer open source products created business models that are profitable?
• Are there ways to create more transparency in the voting system testing and certification process – and in the actual voting and tallying processes – without an open source standard?
• What are the security risks – such as the risks in the voting and vote counting process itself – that are present regardless of whether proprietary or open source systems are used in voting?  Are those risks higher, lower, or unchanged with open source systems?
• What is “security by obscurity” and why do many people believe systems designed and operated under an open source standard considered more secure and reliable?