LOS ANGELES, CALIF. – Election security was once a niche topic, but after the DNC revealed that its computers had been penetrated by Russian hackers in the Summer of 2016, it has entered the mainstream awareness as an urgent matter of national import.
During this time of heightened scrutiny to safeguard against foreign interference in U.S. elections, the choice of a foreign tech company with a dubious past and strong ties to the Venezuelan government to overhaul LA County’s antiquated voting system may seem odd.
But this June (on the heels of a major glitch during the California primary involving 118,000 missing names on LA County voter rosters) the Los Angeles County Registrar-Recorder, with the unanimous vote of the Board of Supervisors, awarded a $282 million contract to Smartmatic for the county’s new vote tally system.
How Much of The Multi-Million Dollar Open Source Vote Tally System Did Smartmatic Copy and Paste?
By August Smartmatic delivered “VSAP” (Voting Solutions for All People), and the office of California’s Secretary of State certified it for elections after testing for functionality and security.
Both LA County and Secretary of State Alex Padilla made much of the fact that Smartmatic had developed the software for VSAP from open source code, but that very fact and the stunningly quick turnaround time for the multi-million dollar contract may leave taxpayers in the county wondering:
How much of the software in the voting system Los Angeles just spent millions of dollars for was already available in the public domain– for free? Did Los Angeles County just pay Smartmatic $282 million to mostly copy and paste some public domain code?
Smartmatic Got Its Start With Grant Money, Contracts From The Chavist Venezuelan Government
After receiving seed funding to focus on election technologies from Jorge Massa Dustou, one of the richest individuals in Venezuela, three Venezuelan software engineers incorporated Smartmatic in Delaware and Bizta (Spanish for “Great”) in Venezuela in April 2000.
By 2003 the software firm was struggling to make any sales, and it was at that time that Bizta received a $150,000 grant from the Venezuelan government in exchange for a 28 percent equity stake in the company and a seat on the board. Part of the arrangement involved Smartmatic acquiring Bizta at that time.
One of Smartmatic’s principles has stated that the grant was a loan, that has been repaid in full, and that the Venezuelan government never sent a representative to board meetings.
The loan was repaid a month before Venezuela’s 2004 elections after the Venezuelan government’s close ties to the voting systems company came under public scrutiny.
Smartmatic Was Investigated in 2006 by The Intra-Agency Committee on Foreign Investment in The United States
With $120 million dollars from three different contracts with the Venezuelan government, Smartmatic rapidly expanded the following year, purchasing British-owned, Oakland, California-based Sequoia Voting Systems in 2005, which had supplied voting machines in 17 states and the District of Columbia.
The acquisition triggered a 2006 investigation by the intra-agency Committee on Foreign Investment in the United States to determine the extent to which the Venezuelan government was involved in Smartmatic’s operations. Representatives of the company and the Venezuelan government vehemently denied any relationship outside of contracting Smartmatic to provide Venezuela with voting systems.
Smartmatic cooperated with the investigation at first, stating that public transparency has always been its policy, but before the investigation could be completed, Smartmatic sold Sequoia later that year without fully disclosing who is involved in the ownership and management of the company.
Up until then, Smartmatic was incorporated in Delaware and headquartered in Florida, but after selling Sequoia and shaking off the federal investigation, the company obscured its corporate structure in a complex web of holding companies in multiple countries throughout the world.
U.S. Department of State Embassy in Caracas: “Smartmatic Is A Riddle.”
In an official statement of its perspective regarding the ownership of Smartmatic, the U.S. Department of State says:
“Smartmatic is a riddle. The company came out of nowhere to snatch a multi-million dollar contract in an electoral process that ultimately reaffirmed Chavez’s mandate and all but destroyed his political opposition.
The perspective we have here, after several discussions with Smartmatic, is that the company is de facto Venezuelan and operated by Venezuelans. The identity of Smartmatic’s true owners remains a mystery.
Our best guess is that there are probably several well-known Venezuelan businessmen backing the company and who prefer anonymity either because of their political affiliation, or perhaps, because they manage the interests of senior Venezuelan government officials…
Smartmatic has claimed to be of US origin, but its true owners – probably elite Venezuelans of several political strains – remain hidden behind a web of holding companies in the Netherlands and Barbados.”
A History of Voting Machine Glitches and Gaps in Cyber Security
In 2012, when Belgium used Smartmatic voting machines at a cost of 40 million Euro, the Belgian government noted a number of technical glitches allowing some voters to vote twice, while blocking others from voting at all.
A 2014 security analysis by the University of Michigan, of an online voting system created by Smartmatic for Estonia, determined: “the I-voting system has serious architectural limitations and procedural gaps that potentially jeopardize the integrity of elections.”
During the controversial 2016 elections in the Philippines, Smartmatic engaged in controversial practices leading to criminal indictments, such as funneling voting data from machines through “several servers apart from those sanctioned by the Commission on Elections during the May 2016 elections.”
For the 2016 Utah Republican Caucus, in which voters helped choose the party’s nominee for president, Smartmatic helped the state GOP implement an online voting system that was fraught with technical issues, blocking some residents from voting. Smartmatic received thousands of calls during the election from Utah voters who had technical issues with their software.
A researcher at one technology research firm said:
“Several of us did a lightweight analysis of it remotely… we found that [Smartmatic was] using technologies that even modern Web programmers stay away from… It’s like the dumbest possible choices are being made by some of these companies with respect to deployed technology that should be mission-critical!”
State And County Officials Call VSAP “Open Source”––But The Source Code Is Being Withheld From The Public
The LA County Clerk/Recorder-Registrar is touting VSAP as “the first publicly owned, open source election tally system certified under the California voting systems standards.”
Alex Padilla has also praised VSAP as open-source technology:
“With security on the minds of elections officials and the public, open-source technology has the potential to further modernize election administration, security, and transparency. Los Angeles County’s VSAP vote tally system is now California’s first certified election system to use open-source technology. This publicly-owned technology represents a significant step in the future of elections in California and across the country.”
Open source software is computer code that has been released into the public domain for anyone to read, use, rewrite, and/or distribute free of charge. But VSAP isn’t really open source as the LA County voter registrar’s press release suggests. It was created from open source software, but the final result is proprietary and secret.
That’s what Chris Jerdonek discovered when he made a Public Records Request to LA County for VSAP’s source code.
Jerdonek is a software developer with a PhD in mathematics, and happens to be the San Francisco Elections Commissioner.
He noted in the request that:
“The VSAP Tally Version 1.0 was identified and described in the following August 21, 2018 LA County press release as ‘the first publicly owned, open source election tally system certified under the California voting systems standards.'”
But the county responded saying the source code is “exempt from disclosure,” because to do so “would create a potential security risk,” noting that “proprietary information” and “trade secrets” are exempt from disclosure under state and federal law.
In a second point under the heading, “Information technology systems of a public agency,” LA County exempted VSAP’s source code from disclosure because publishing it could “reveal vulnerabilities to attack or would otherwise increase the potential for an attack on the public agency’s information technology system.”
Strong Cryptographic Security
The problem with this kind of security– security by obscurity– is that it meets a minimum threshold for cybersecurity. It’s a leftover vestige of Cold War era thinking, and pins a voting software system’s security on the hope that the source code can be kept secret.
But at a time when the Democratic presidential candidate and former Secretary of State’s emails can be apprehended by foreign hackers, it’s not a hope on which we can responsibly base the integrity of U.S. elections, or any digital enterprise for that matter.
A truly secure voting system would be open source. Not made from open source software, as VSAP is, but open source itself, freely available to the public to view, adapt, and build on for elections elsewhere, in America and in other countries as well.
It would be so definitely and immutably secure, that publishing the source code would not endanger it in any way.
Its security would not be based on secrecy– and the hope that no one is hacking, or leaking, or acting out of any kind of nefarious motives– but rather based on an immutable software architecture designed with the certainty in mind that someone is hacking, and leaking, and acting out of nefarious motives.
It would be crypto-graphically secure and provide voters with anonymity at the same time, the way Bitcoin does, which is an open source banking protocol for which the source code is available to anyone to download, inspect, and run on their own server. There would be nothing to leak, because the protocol would be designed from the start to be open source and available to the public.
A truly open source ethos (not the misleading use of the words “open source” as self-congratulatory, marketing buzzwords) with these priorities in mind, can certainly prevail in creating secure vote tally systems that we can all trust, and it’s just the kind of challenge developers in the open source community love to solve.