Proprietary Software And Our Hackable Elections

Bloomberg reports that:

Russia’s cyberattack on the U.S. electoral system before Donald Trump’s election was far more widespread than has been publicly revealed, including incursions into voter databases and software systems in almost twice as many states as previously reported. In Illinois, investigators found evidence that cyber intruders tried to delete or alter voter data. The hackers accessed software designed to be used by poll workers on Election Day, and in at least one state accessed a campaign finance database….the Russian hackers hit systems in a total of 39 states

In Decoding Liberation: The Promise of Free and Open Source Software, Scott Dexter and I wrote:

Oversight of elections, considered by many to be the cornerstone of modern representational democracies, is a governmental function; election commissions are responsible for generating ballots; designing, implementing, and maintaining the voting infrastructure; coordinating the voting process; and generally insuring the integrity and transparency of the election. But modern voting technology, specifically that of the computerized electronic voting machine that utilizes closed software, is not inherently in accord with these norms. In elections supported by these machines, a great mystery takes place. A citizen walks into the booth and “casts a vote.” Later, the machine announces the results. The magical transformation from a sequence of votes to an electoral decision is a process obscure to all but the manufacturers of the software. The technical efficiency of the electronic voting process becomes part of a package that includes opacity and the partial relinquishing of citizens’ autonomy.

This “opacity” has always meant that the software used to, quite literally, keep our democracy running has its quality and operational reliability vetted, not by the people, or their chosen representatives, but only by the vendor selling the code to the government. There is no possibility of say, a fleet of ‘white-hat’ hackers–concerned citizens–putting the voting software through its paces, checking for security vulnerabilities and points of failure. The kinds that hostile ‘black-hat’ hackers, working for a foreign entity like, say, Russia, could exploit. These concerns are not new.

Dexter and I continue:

The plethora of problems attributed to the closed nature of electronic voting machines in the 2004 U.S. presidential election illustrates the ramifications of tolerating such an opaque process. For example, 30 percent of the total votes were cast on machines that lacked ballot-based audit trails, making accurate recounts impossible….these machines are vulnerable to security hacks, as they rely in part on obscurity….Analyses of code very similar to that found in these machines reported that the voting system should not be used in elections as it failed to meet even the most minimal of security standards.

There is a fundamental political problem here:

The opaqueness of these machines’ design is a secret compact between governments and manufacturers of electronic voting machines, who alone are privy to the details of the voting process.

The solution, unsurprisingly, is one that calls for greater transparency; the use of free and open source software–which can be copied, modified, shared, distributed by anyone–emerges as an essential requirement for electronic voting machines.

The voting process and its infrastructure should be a public enterprise, run by a non-partisan Electoral Commission with its operational procedures and functioning transparent to the citizenry. Citizens’ forums demand open code in electoral technology…that vendors “provide election officials with access to their source code.” Access to this source code provides the polity an explanation of how voting results are reached, just as publicly available transcripts of congressional sessions illustrate governmental decision-making. The use of FOSS would ensure that, at minimum, technology is held to the same standards of openness.

So long as our voting machines run secret, proprietary software, our electoral process remains hackable–not just by Russian hackers but also by anyone that wishes to subvert the process to help realize their own political ends.

FOSS Licenses: Hackers As Legal Maestros

Over at Concurring Opinions, Biella Coleman writes a very good post on her anthropological work on hackers. In it Biella states what many of us who have looked at the world of free and open source software think:

[M]any developers are nimble legal thinkers, which helps explain how they have built, in a relatively short time period, a robust alternative body of legal theory and laws

I don’t fully agree with the reasons that Biella gives for why this might be so (i.e., similarities between programming and the writing of laws), but I don’t doubt for a second that this is true. Anyone that comes into contact with free and open source software (FOSS) licensing, and with the rich, vibrant discourse that permeates the FOSS community about about copyright and patent law will know that many hackers know the law really well, and they know how to hack the law to make it work for them.

So I found Orin Kerr’s response curiously skeptical:

Can you give a few examples of how the group you have studied are “nimble legal thinkers”? And what are the “robust alternative body of legal theory and laws” that you mention? I think I can say I’ve been somewhat near this space for a few years and I wouldn’t reach that conclusion: I’ve encountered a lot of naive and self-serving legal claims over the years, but not a lot that I would call nimble or robust.

I think the replies in the comments space address Kerr adequately but I’d like to throw in my tuppence in any case. And I’ll do so by talking about what I know best: FOSS licensing.

First, I think FOSS licenses present an alternative body of legal constructs that show how within a political economy that was increasingly becoming proprietary and using copyright, patent and trade secret law to lock down its content (copyright executables; patent algorithms; treat code as trade secrets), an alternative zone of creation can be created, which can flourish, be viable, and be richly productive of more and better code. (Look for instance, at how FOSS licenses solve the problem of protecting their projects from patent infringement lawsuits, and how they solve the problems inherent in multiple-authorship of a body of code).

Second, as for being “nimble” thinkers, I think copyleft licensing is a work of genius–hats off, Richard Stallman and Eben Moglen–and represents, in my mind, one of the cleverest backs to the legal system that I’ve seen. The GPL–in all its incarnations–reveals a deep understanding of the law, and how best to utilize it to bring about desired ends–solving the problem of non-reciprocity that could create a tragedy of the commons–within an existent legal framework (the GPL’s  protection of the commons gives it a practical and ethical advantage over other FOSS licenses). Read GPL V3 and look at how cleverly it addresses the challenges that made it’s release necessary; it’s “nimble” all right. Any lawyer that reads the GPL, understands it, and gets what it is trying to do, should be struck by the sheer cleverness of how copyright law can be made to serve ends that might not look like its original intended ones, but actually turn out to be in great resonance with them.

Third, I don’t think it is any exaggeration to say that a great deal of thinking about how artistic content in the new political economy of the digital world could be distributed and regulated in a way that is respectful of artists and consumers’ interests alike, has been inspired by FOSS licensing. (Creative Commons licensing is a very good example of this; that body of licenses presents an alternative way to deal with artistic content today; it isn’t perfect, but it’s a start, and it got started by FOSS licenses). Sometimes I wonder indeed, if anyone talking about the new digital economy and how to legally configure hasn’t been inspired by FOSS licensing and practices somehow.

When it comes to being “self-serving,” I’d suggest that there is a general tendency in the legal academy to simply not admit that law can be “done” by non-lawyers, that a body of rules built up over a period of time can be “hacked” by others than them.