I object in the strongest possible terms to the notion that it is possible - much less desirable - to establish a fail-safe computing infrastructure for voting based on "open source" software.
The level of protection required to secure voting software far surpasses financial software, but it also certainly deserves far greater protection than mere safety-critical software. Planes can crash, chemical plants accidentally vent noxious gases, and medical devices can malfunction - while our democratic way of life goes on, for everyone but the unfortunate few. Voting systems are national security systems. Compromise voting systems and the outcome is as disastrous as invasion and occupation by a foreign power even worse. Conquest by exploitation of voting system vulnerabilities not only preserves a country's economy in whole to facilitate plundering, it appears to occur under the guise of the free exercise of the democratic franchise, manufacturing the fraudulent appearance of the consent of the governed while pre-empting resistance.
Those of my colleagues who advocate the benefits of collective development and inspection of software should consider the logistical difficulties of tying a human-readable text document to the invisible binary modules actually running thousands of voting devices in the field, in a highly adversarial environment. Some believe that by adding additional layers of software to check software to check software to check software, that somehow sufficient safeguards can be put in place to provide a suitable foundation upon which we can bet the fate of the American Republic.
This is utterly misguided from a whole-systems perspective. "Open source" software is just one small component in the end to end voting system, which includes not just tabulation software, but a vast array of other computer components such as operating systems, firmware, and device drivers. Consider that even if Diebold's optical scan software operated with perfect fidelity it could be subverted through careful exploitation of integer overflow vulnerabilities using its peripheral memory card in such a way that the hypothetical pure-as-the-driven-snow software would be unable to detect that a bias had been introduced. And consider the process of deploying that vast array of components with total precision on hundreds of thousands of target devices in the field; that's hardly "open source". That's all done by people.
So more fundamentally: I consider all the output of a computer at all times to be suspect unless and until it is verified. Some of my colleagues feel the reverse; that we should trust the output of a computer unless we can show how it could be compromised. That shows a charming faith in other people's fundamental good nature, but that's no way to run a bank - or an election. When it comes to the integrity of computer systems that can quite literally take away my liberty, I don't accept "trust me - you don't need to double check this", and neither should you.
In consulting in e-Commerce security at very large companies over the last seven years, I've been constantly amazed at the astonishing ingenuity that both malicious insiders and external hackers bring to the challenge of compromising financial transaction processing systems. Human ingenuity knows no bounds when the prize is sufficiently rich. How much more dire the threat must be to any conceivable voting system? Some exploits might require years of preparation and millions of dollars to develop, but if the prize is the wealth and power of American Republic, one must presume ruthless people are willing to invest whatever is required. And are out there, right now. And are not going away, simply because someone else steps up to volunteer to write the vote tabulation software.
As a consequence, Jonathan Simon and I have shown that to even consider using optical scan devices, you need a secure hand count audit of a least 10% of the ballots in a congressional election. And potentially more to protect elections with fewer than 150,000 voters. You need to perform this audit whether it's Diebold's Jeffrey Dean, or Avi Rubin, or Alan Turing himself come down from Heaven, who writes the tabulation code. Because you simply don't, can't and never will be able to know - with sufficient certainty to possibly throw away the American Republic - what each of those thousands of optical scan devices are actually doing unless you check their output. By hand.
But ignore the software for a moment.
What. Is. The. Point. of. Optically. Scanning. Ballots?
Cost? Voting is national security. Design, buy, count and secure a decent paper ballot for every election in the US you care to protect for less than the tab for one week's unprovoked military conflict.
Speed? Come off it. Canadian federal election results are known with certainty by midnight. Canadians are worthy people, but they possess no magical powers that enable them to count to 500 or so, in public, with repeatable accuracy and to all parties' satisfaction in a reasonable amount of time.
Ability to infer voter intent? Let me get this straight: it's somehow a good idea to substitute a self-correcting collection of multiple human brains (each one with the processing power equivalent to thousands of conventional computers) with a device dumber than a cockroach; in practice, so limited in its abilities that we have to severely dumb down our ballots for the poor little things to even have a snowball's chance of interpreting voter intent. ("Be careful to fully fill in the oval. Don't go over the edge, or it doesn't count. You must draw a dark line precisely joining the other two lines next to the candidate's name..."). Surely some of the brilliant user interface designers in the IT industry could come up with a paper ballot that would be designed for people and not for machines; for accuracy in recording voter intent and suited to public counting of votes by hand... rather than foisting ballots on people that look like 19th Century newspapers.
In my opinion, one of the most important ethical obligations of a computer professional is to inform the public when automation is an inappropriate solution. Since op scan tallies always have to be verified by hand counting, why invite the machines to the party in the first place? What is the problem that "open source" voting software solves? What aspect of "open source" optical scan tallying supersedes the civic benefits of restoring trust in elections by entrusting election administration to the citizens themselves?
Can we swallow our collective technical pride for once as a profession, and just say "no" to such an utterly inappropriate use of technology?