
Estonian E-Voting Source Code Made Public - timgluz
http://news.err.ee/politics/0233b688-b116-44c3-98ca-89a4057acad8
======
mzf
Some heavy security checks:

[https://github.com/vvk-ehk/evalimine/blob/master/ivote-
serve...](https://github.com/vvk-ehk/evalimine/blob/master/ivote-
server/hes/vote_analyzer.py)

~~~
lucaspiller
Send a pull request :)

~~~
skrebbel
License says "no derivatives"

~~~
daxelrod
Interesting. That doesn't seem to square with this item from GitHub's ToS:

    
    
      > By setting your repositories to be viewed publicly, you agree to allow others to view and fork your repositories.
    

[https://help.github.com/articles/github-terms-of-
service#f-c...](https://help.github.com/articles/github-terms-of-
service#f-copyright-and-content-ownership)

~~~
3pt14159
View and fork does not mean view and fork and edit.

Some of us fork just so we can security audit the code once and then have a
safe place to clone from.

------
oellegaard
This seems like a good contract to the typical (american-inspired) secrecy
around governmental systems. I would also like to believe open source makes
software more secure, but I'm not sure if there is any research that confirms
it.

Oh, and cool its made in python and not some enterprise java or .NET :)

~~~
skrebbel
We're getting off topic, but you do know that it's perfectly possible to write
decent Java or C# without it being "enterprise", right? (whatever that means)

I'm starting to get sick of this "ruby/python/nodejs = cool, java/.net = slow
bloated enterprise crap for men with suits" attitude that keeps reappearing
here on HN.

Whether your work environment is cool, whether your code is decent and snappy,
all that has very little to do with your programming language choice.
Admittedly, if you compare modern Ruby to VB6 you might conclude that VB
sucks, but that's an unfair comparison since the technologies are a decade
apart. It's like saying Python rocks because you hate COBOL.

You can work at a scrappy startup and code lean C#, and you can work at a
bureaucratic departmentalized hell and code
AbstractProxyProviderFactoryProviders in Python.

And, yes, you can even work at a bureaucratic departmentalized hell and code
decent Python. Or Java. Or C#. Or Ruby.

~~~
eli
Java Enterprise Edition is the name of an Oracle product.
[http://www.oracle.com/technetwork/java/javaee/overview/index...](http://www.oracle.com/technetwork/java/javaee/overview/index.html)
It's "enterprise" literally by definition.

~~~
skrebbel
Indeed, and so it's uncool and crappier than Python? How is that related? The
OP clearly used the term "enterprise" with a negative connotation. I doubt he
was referring to a brand name.

~~~
glesica
I suspect the implication was that being written in Python makes the code more
accessible to "normal" people, both to read and (perhaps to an even greater
extent) to run. If it were written on .NET one would likely (because Mono is
incomplete) need a Windows server to run the code. If it was written using
Java there is a decent chance it would require some pretty complex
configuration and possibly a license of some sort from Oracle. I might be
misinterpreting the comment, but when I personally poke fun at Java or .NET
for being "enterprise-y", this is more or less what I'm talking about.

~~~
skrebbel
Thanks for taking a guess.

Actually though, it's rather difficult to run into Mono incompleteness when
making a web app these days. Mono's mostly lacking Windows-specific stuff like
WPF (UI-framework). Used to lack Entity Framework but that's solved since MS
open sourced that. You can take an existing ASP.NET app and there's a very
high chance you can just build it with xbuild and host it with Mono's xsp
server.

More generally, I do see your point but I believe it's a little outdated; the
time that Java apps just had to be built on 200k lines of XML is long gone as
well.

It's obviously a matter of taste, but I find it difficult to accept that well-
written Python would be easier to read than well-written C#. C# is more
verbose in places and less verbose in others. Writing crap code is about as
easy in both.

~~~
sirclueless
Are there really places where C# is less verbose by any significant margin?
The only thing I can think of is that a well-written LINQ library lets you
abstract away a tremendous amount of heavy lifting into a clean and
declarative query, but other than that pretty much everything requires more
keywords, punctuation and declaration in C#.

Don't get me wrong, C# is relatively explicit and regular, which does wonders
for its readability especially in large projects with many collaborators. But
brevity is not one of its strong suits, nor should it be.

~~~
skrebbel
Indeed, lamdas and LINQ. The moment you're using functional primitives that
don't fit in Python's list comprehensions well, C# becomes a lot less verbose,
and certainly less obtuse.

I think that's the only place, though.

------
zimbatm
Common, not a single positive comment ? Things in the administration always
take time. At least it's a move in the right direction. Next add a build CI to
produce signed images. Then propose USB keys for people to boot their own
system on the voting booth.

At least it's better than the Diebold debacle in the states.

~~~
rimantas
IMHO internet voting falls under "because you can does not mean you should".

~~~
jsaxton86
There are two parts to this story:

-Estonia has an internet voting system

-Estonia just released the source code to their voting system

Even if internet voting is a terrible idea, a transparent election system is a
very good idea, and releasing the source code for your voting system is a big
step in that direction.

~~~
kmfrk
Ill-advised or not, at lot of countries are considering e-voting.

I think it's a bad idea as well, but like you, I think it's weird to be upset
that there are people who want to help achieve the best solution/compromise,
in the event that your country's government vote to implement something like
this.

I'm as pro-government as the next European, but we can all think of horrible
government project failures.

------
josephlord
How does a voter or independent voter know that the code that has been
verified is actually running on the machine that they connect to?

You have to trust the sys admins. And as we all know: something is trusted if
it can break your security policy.

~~~
Lewisham
All voting systems that I know of require trust, with or without machines. Do
you trust the person counting your ballot to count correctly? There's a
district in the UK that prides itself on always being the first to return
results. I would be fairly worried about the ballot counters there.

Eventually someone has to trust someone to execute correctly. Unless there's
some voting system I'm not aware of that doesn't require humans and is easily
verifiable at the point of voting by the average voter.

~~~
Anderkent
There are theoretical cryptographic systems where each voter can verify that
his vote was counted properly, without revealing his vote to anyone. I don't
think any have been implemented in practice.

~~~
josephlord
That in itself is a problem because the ability for the voter to prove who
they voted for opens them to coercion or bribery. Although doing it online (or
by post) opens that risk anyway.

~~~
dchest
Can verify != can prove to a third party

~~~
ReidZB
This is a critical distinction. As a concrete example, here's how voting
worked in a scheme I once read about. On any one ballot, the order of
candidates was randomized. Then the way the scheme worked was that after
voting, the voter tore off the candidate positions (but not their vote) and
threw it away in a huge pile of them, burned it, or whatever. (Made it so that
someone couldn't come behind them and figure out their position list,
essentially.)

Later, after the votes were tallied, the voter could verify that their ballot
was (1) counted and (2) counted towards their chosen candidate. But crucially,
all they could verify was that the vote counted towards position 1, or
position 2, or position 3, ...

The point is that since the voter couldn't _prove_ to a coercing party that
the position they voted for was (or was not) the candidate the coercer wanted
them to vote for, they were immune to coercion. They could prove that they
voted for position 2, sure. But which candidate was at position 2?

The voter knows the truth because they saw the position list. However, until
we have mind-reading technology, a coercing party could only take the voter's
word.

~~~
ams6110
I'm not following how the counting is done. If all the counter has is a ballot
with position 2 checked and the corresponding candidate name torn off, how
does that vote get tallied to the proper candidate?

------
technimad
No matter how open the code is. It is extremly hard, if not impossible, to
ensure this code is running on the actual systems.

E-voting sounds intersting in theory, but in practice it is basically not
worth the trouble. It is way more complex than a regular system with ballots
and the only gain is that the results can be published sooner.

~~~
oneandoneis2
Actually, E-voting could revolutionalize politics.

Right now, we have to have presidents, prime ministers, even kings; making all
the big decisions for us because that was the only practical way.

E-voting makes it possible for the population to be consulted on any major
decision. This, IMHO, is the reason it's so unpopular amongst politicians.

Right now in the UK, for instance, MPs get to vote on their own salary
increases. Wouldn't it be nice if they were obliged to ask the voters instead?

Recent years have seen several unpopular wars begun by Western countries - if
political leaders had been unable to start those wars unless they'd had
majority approval from their populace, the world might well be a more peaceful
place right now.

E-voting is something with a lot of promise. But if diminishes the power of
the people who would have to implement it. So don't expect to see it
widespread any time soon.

~~~
orf
Consulting everyone on every major decision isn't the best way to make
decisions (who says the majority is right?). Most people wouldn't understand
the issues they are voting on and would be heavily swayed by the media.

~~~
yaddayadda
Once there is an easy online system in place then alternatives to an all or
nothing vote could be established. For example, you may vote for a
representative every X years and this representative would vote for you when
you opted not to. Over the course of X years there are hundreds of votes, but
you are passionate about 20 of them. You could directly cast a vote on those
20 issues, but your representative would cast votes, as a proxy, for the rest
of the issues.

~~~
Fargren
What happens when there's a big decision that heavily affects media interests?
They start using their sway on public opinion to make the decision important,
and a disproportionate number of people become "passionate" about an issue
they don't really know more than they were fed.

There are probably other problems, but I don't think this one is small.

~~~
yaddayadda
I don't disagree. There are other potential problems also, such as protection
of minorities. But right now I don't have the OPTION to vote directly, even if
I do know more than my elected official. Online election systems can provide
such options. Was my elevator spiel for one possible method _perfect_ \- no.
But hopefully it got you and other readers thinking about the general concept
(it appears it got you thinking about it), possible challenges (it definitely
got you thinking about it), and possible benefits (yet to be seen).

------
baldurthoremils
The license (Creative Commons Attribution-NonCommercial-NoDerivs 3.0) is a
strange choice for a project published on Github. Github encourages forking
and making changes, which goes against the NoDerivs part of the license,
unless I'm misunderstanding something.

~~~
bru
You're right. CC licenses are not for software and are incompatible with the
GPL. Read more at
[http://wiki.creativecommons.org/Frequently_Asked_Questions#C...](http://wiki.creativecommons.org/Frequently_Asked_Questions#Can_I_apply_a_Creative_Commons_license_to_software.3F)

------
vvllddrr
The title is wrong (the article isn't, necessarily). The license,
[https://github.com/vvk-
ehk/evalimine/blob/master/LICENSE](https://github.com/vvk-
ehk/evalimine/blob/master/LICENSE), is non-free/open source.

~~~
yaddayadda
The "Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License"
is an "open source" license. The source code itself is "open" and can be
redistributed for free (beer not speech). But it is disappointing that they
have opted to prohibit derivatives, and it makes their posting of the code to
GitHub an interesting choice.

~~~
eli
A pull request would technically be violating the license, no?

~~~
yaddayadda
IANAL, but as I understand the license, yes it would violate the license.
Although, if I released something under a no-derivatives license on github,
I'd be less worried about pull requests and more worried about derivatives
made outside GitHub.

------
dobbsbob
Lot's of proposals have been submitted on the bitcoin forums for some sort of
cryptocurrency solution/proof of work online voting, where there is full
transparency by looking at the block chain to see how many votes somebody had,
and prevention of a malicious actor forging votes. Of course you have to trust
whoever is mining the coins and handing them out, and trust end users sytems
aren't compromised.

I would expect in my country anyways that any online voting would be DDOS'd by
idiots looking for a soap box the media will pay attention to and create a
huge debacle resulting in them scrapping it and forcing a regular ol' paper
vote.

------
ChrisAntaki
Could it be, that secret ballots are insecure?
[https://en.wikipedia.org/wiki/Secret_ballot](https://en.wikipedia.org/wiki/Secret_ballot)

In the US, we officially supported secret ballots in 1892. Still, I wonder if
we all found the strength to open up the ballot, if that wouldn't eliminate
some of the viability of voting fraud?

I'll start, I voted for Obama in 2008 & 2012.

~~~
josephlord
Yes everything about voting gets simpler if you throw away the anonymity
aspect. The election can be better audited[1] and you can be too if you voted
for the wrong party. You would also probably get to discover the market price
of votes in marginal constituencies.

[1] Audited, fired from a government job, beaten, not to mention social,
religious or family pressures to vote in a particular way. The reality or fear
of these things could influence elections if not so much in the West but if
these standards were adopted where elections are a little more life
threatening (I'm thinking of Kenya but there are probably many other examples
too).

~~~
davidw
In Italy, there's a strict ban on phones or cameras in the voting booths
because, like you say, it's a way to verify that you voted for who you did,
and consequently, get paid for it.

------
pwr
Sadly many of the identifiers are named in estonian. Limiting this project to
estonian developers only. I'm aware that this is _estonians_ voting system,
but i'm sure there are developers all around the world who would be interested
in contributing (especially security audits would be interesting) to this
project without the necessity to reverse engineering/translating the code.

~~~
gotofritz
We all know naming things is one of the most difficult things in programming.
Give the guys a chance, let them do it in the language they are fluent in,
rather than the language you grew up with

------
ERRnews
Original story at
[http://news.err.ee/politics/0233b688-b116-44c3-98ca-89a4057a...](http://news.err.ee/politics/0233b688-b116-44c3-98ca-89a4057acad8)
has been updated with some background - domestic controversy and such

~~~
knqku
Even more controversy:

* Release of E-Election Software Code 'Did Not Go Far Enough' [http://news.err.ee/sci-tech/940d2015-ffe1-4c9f-98e8-6fc60935...](http://news.err.ee/sci-tech/940d2015-ffe1-4c9f-98e8-6fc60935fa0c)

* Architect: E-Election Code Should Not Be a Free-for-All [http://news.err.ee/sci-tech/7f244d47-86ee-41bd-a544-87bd756b...](http://news.err.ee/sci-tech/7f244d47-86ee-41bd-a544-87bd756b2b41)

------
relix
Creative Commons-licensed, written in Python using vim, shared on Github. It
ticks all the boxes, just sad that the README is empty.

Unless I'm mistaken, I can't find any tests though. Maybe they didn't release
it, but it's a bit worrying.

~~~
sjtgraham
Is the editor a program is written in really a criterion you evaluate software
against?

~~~
lmm
Do you not?

Of course it's not reliable, but for a quick heuristic I've found it to be
quite well correlated with the quality of the code.

~~~
fsckin
I've written some terrible code in vim. What editor has negative connotations?

------
ChrisAntaki
Nice, I'm looking forward to USA's voting software landing on GitHub.

------
thinkmoore
There has been significant work in the academic community about electronic
voting schemes. For example, Civitas
([http://www.cs.cornell.edu/Projects/civitas/](http://www.cs.cornell.edu/Projects/civitas/))
is a voting system developed by researches at Cornell that provides universal
verifiability, voter verifiability, anonymity, and coercion resistance. It is
also implemented in a security-typed programming language, which provides
additional guarantees about the correctness of its implementation.

------
jpalomaki
Github link: [https://github.com/vvk-ehk/evalimine](https://github.com/vvk-
ehk/evalimine)

------
mtgx
There was this talk on TED a few years ago about e-voting without fraud:

[https://www.youtube.com/watch?v=izddjAp_N4I](https://www.youtube.com/watch?v=izddjAp_N4I)

I think they had a website for it, too, but I can't find it right now, and
don't remember how it was called exactly.

~~~
Create
“You can't solve social problems with software.” (Marcus Ranum).

It isn't clear from the talk, that:

\- you cannot inject votes digitally (within parts of the system) - you may
only verify your own vote, and may or may not know about "extra" votes,
especially under low turnout, which is very frequent (the euphemism is
"democratic deficit")

\- supersedes chain voting: it is not clear, that voters cannot be bribed,
where the briber can ask for your receipt to verify your voting (currently
this is done by buffering voting slips: the first is taken out, filled out in
front of the briber and exchanged for the clean copy inside the booth, which
in turn is taken out etc.).

------
kmfrk
Vote for Bobby Tables!

------
ikarustigger
You should read the book "ein König für Deutschland" (a King for germany) - it
very reasonably makes clear why computer-based voting always will be Much
easier manipulable and why democracies should stay with paper based Voting.

------
marze
So surely some open source hardware + software voting machines are being
developed somewhere...

True?

