Joseph Kiniry, a computer science lecturer at University College Dublin, seems an unlikely candidate to work on open-source voting software.
He believes e-voting is risky and current e-voting software is substandard. Nonetheless, e-voting is here to stay, and governments around the world have sunk big money into systems that have been roundly assailed by computer security experts as insecure.
"I think governments feel like if they're not being modern, there's something wrong with them," said Kiniry, who describes himself as half mathematician and half software engineer. "They think that computers are somehow infallible, forgetting that people are the ones who create and use computers."
That's why Kiniry and a team of researchers have built an e-voting software system that they hope will provide a foundation for future secure systems. The code is open source, a decision made to ensure the platform can be widely scrutinized by peers, and should be released in July.
E-voting seems simple—just click and then count the votes, right? Wrong. It's fraught with complexities, from translating vague election laws into software rules to recounts and the panoply of security and privacy concerns.
The team started with a body of code that was part of the Dutch government's "Kiezen op Afstand" (KOA) project, which is Dutch for "remote voting."
The project involved vendor Logica, but was eventually ended. The Dutch government decided to release the code under the GNU GPL license after stripping it of its proprietary elements.
The code was decent—not overly engineered or overly complicated—but nearly unusable at the time. It wouldn't even compile, Kiniry said. Further, all of the documentation was in Dutch, he said.
The team used reverse engineering techniques to construct the missing code. What they came up with was a system that Kiniry believes surpasses other open-source e-voting software and commercial systems he's analyzed. But that doesn't mean it's ready to be used for an important national election. "We're just using it as an experimental platform and trying to make it better and let other people play with it," Kiniry said.
The back-end software, written in Java, will run on Linux or Apple's OS X. The user interface, viewed through a Web browser, is "Google simple," Kiniry said.
Here's how it works: Voters register to remotely vote at a government office and pick a PIN code. A unique ballot is mailed to the voter that can be used only by that voter. On election day, users go to the website, type in a voter ID code and their PIN, and vote.
The ballot has a number next to each candidate that is different for every voter, a type of pre-encryption. When a vote is cast, that unique number is transmitted to the server and decoded into the correct candidate.
Kiniry said there are still attack vectors to tamper with the results, but the bar is raised higher. Even if the number were intercepted during transmission to a database, it would essentially be meaningless because it's different for every voter.
After voting, the user gets a receipt number that can be used to verify that the ballot was counted.
Recounts, while essential, are opaque and tricky since there are no physical ballots. Current software recounts by just running the same software program over again, which "to me is not a legitimate recount," Kiniry said.
One idea is to allow third parties to create their own software that would verify the secure transmission of votes into the database, Kiniry said. Then, those parties could run their own tally software and recount the votes.
But what if each system comes up with different totals?
"Given the ambiguity we see in the law and the way ballot voting has taken place even without computer technology, it would in some sense be little surprise that there might be some ambiguities with computer technologies," Kiniry said.
Part of the trouble is putting what are sometimes vague election laws into a language that software can accurately execute. Ireland's election system, for example, involves the redistribution of votes for losing candidates to those who have more votes.
It's possible—and legal—to come up with two different winners depending on how those votes are redistributed, Kiniry said.
"How do you encode that in software?" Kiniry said. "That leaves ambiguities. Counting is not easy."
One of Kiniry's colleagues, Dermot Cochran, a research programmer at University College Dublin, wrote a software specification of the Irish counting system for his master's degree dissertation. He used the Java modeling language to express the rules in a mathematical form. But he cautioned the system needs more testing.
"Other researchers would need to really confirm the security aspects of the system," Cochran said.
Kiniry concurred that even if their system proves to be a worthy piece of software, there are still too many social and political hang-ups around e-voting.
"Maybe someday we will have some degree of certainty where we can use it," he said. "I believe that day is quite a ways off. Unfortunately, we are going to see [e-voting systems] used anyway."