[Linux-aus] Grant request: Contribution to Senate voting source code FOI request review.

[Anthony Towns]

On 23 June 2014 11:56, Chris Neugebauer <chrisjrn at gmail.com> wrote:
> One of our members, Michael Cordover, has been going through the
> Freedom of Information process to gain access to the source code used
> by the Australian Electoral Commision to tally Senate votes in
> Australian federal elections.

Has there been any attempt to address this at the policy level? ie,
contacting the AEC chairperson, or the Special Minister of State
(Michael Ronaldson) who are presumably responsible for setting the
AEC's policy as to whether these public review/exposure is more
valuable than commercial exploitation?

For instance, I see from the AEC's JSCEM submission from 2003:

"8.12 In the interests of transparency, and because there are no security
implications,[41] the code will be available for review. Potential
reviewers will
have to have the appropriate infrastructure (such as a VB license) in order to
undertake a review."

Has there been any attempt to request source code for review on this
basis via whatever the ordinary channels are? (as opposed to via a
FOIA request)

Hmm. I see a tender has actually been awarded for exactly that sort of
code review fairly recently:

https://www.tenders.gov.au//?event=public.cn.view&CNUUID=53E31E1A-E681-11E3-D447B0A5C9424137

That's for $56k over two months, fwiw. Any idea if that was an open
tender? I see there was a previous EasyCount related tender that
appears to have been originally for $37k that blew out to $111k over
two months in 2010 though:

https://www.tenders.gov.au/?event=public.cn.view&CNUUID=F689DACD-AFDE-8AE5-249C684482FDF8F3

(I'd content the current tender is more on-point being a general
review, versus the NATA accreditation of the earlier tender)

As far as I can see, the AEC doesn't turn a profit from running
non-public elections (it does some union elections because it's
legislatively obligated to, and it does "fee for service" elections
for people who ask on a "full cost recovery" basis). That seems like
it means that the source code might fail the third leg of the "trade
secret" definition, ie "if disclosed to a competitor, the information
would be liable to cause real or significant harm to the owner of the
secret"

http://annualreport.aec.gov.au/2011/program-1-2/fee-for-service.htm
http://annualreport.aec.gov.au/2013/about/programs.html
http://www.oaic.gov.au/freedom-of-information/applying-the-foi-act/foi-guidelines/part-5-exemptions/documents-disclosing-trade-secrets-or-commercially-valuable-information-s-47

Ah, according to the AEC submission to OAIC, fee-for-service stuff
only totals $1.5M per annum anyway. (Compared to ~$160M to run a
federal election)

> Whilst I'm not a lawyer, I've been following the process quite closely
> since it started, and have been deeply bemused by the AEC's arguments,
> which I personally feel are either technically flawed or absurd.

If the AEC were providing election services on a for-profit basis (and
if "full cost recovery" includes development costs and help defray the
cost of Federal elections, maybe you could argue that it is anyway,
but the amount seems pretty trivial), then the trade secret argument
seems like it would be legally sound to me, albeit poor policy.

Licensing to other government agencies (ie, Qld, SA and NT) might pass
legal review as commercial value, but seems pretty weak to me given
it's all Australian government. NT especially, given it's a territory
and thus a Federal responsibility anyway, technically...

The AEC's claim that "publication of the source code for the EasyCount
software a more significant risk as regards creating opportunities for
electronic attack (hacking)." is interesting. That seems equivalent to
claiming that a small number of Australians who've worked closely with
EasyCount in the past have the ability to influence the outcome of
many Australian elections remotely... Hmm, especially when combined
with: "I also found that the underlying code-base is shared between
editions (eg. Senate, Fee-for-Service, etc) and is easily
'de-compilable' using publically available utilities. This means that
a member of the public could gain access to, and leverage, AEC
intellectual property stored in the source code for any EasyCount
edition (ie, Senate, ICE, or SAEC)."

So, step 1: be involved in an industrial election handled by the AEC;
2: copy the executable code while no one's watching; 3: decompile it;
4: exploit the senate vote count in the next federal election... Seems
like a relatively easy scenario to sell to the government of the day
as to why more thorough review of the AEC software should be part of
Australia's "open government" policy, whether or not it's already
required under the FOIA. It seems to mesh with a couple of other
policy principles too:

"accelerate Government 2.0 efforts to engage online, make agencies
transparent and provide expanded access to useful public sector data"
   http://lpaweb-static.s3.amazonaws.com/Coalition%27s%20Policy%20for%20E-Government%20and%20the%20Digital%20Economy.pdf