Ep. 39: Is Open Source Software the solution to our election woes?

CBS: A huge number of voters have already cast their ballots… some say people with guns
and some wearing tactical gear approached them at the ballot drop location…

(MUSIC)

DINA TEMPLE-RASTON: Election doubters are on the march.

CBS: …states where Republicans who questioned the last election are on the ballot…

TEMPLE-RASTON: And Julie Wise is bracing for them…

JULIE WISE: It is very much a different time to be an election administrator, unlike any I've
seen in the last 22 years.

TEMPLE-RASTON: Julie would know. She’s the director of elections for King County, the part
of Washington State that includes Seattle. And over the past two decades, Julie’s had just
about every job in elections a person could possibly have.

WISE: From answering voter questions on the phone to drawing precinct maps to
processing ballots and more.

TEMPLE-RASTON: And the current level of voter distrust makes her head spin.

WISE: I am often accused of only counting ballots for the Democratic party candidates. I'm
often accused of throwing away people's ballots or disregarding or changing their votes.

TEMPLE-RASTON: And it isn’t just Washington: Hundreds of candidates on the ballot in this
year’s midterms still say that President Biden didn’t win in 2020 — and that level of
denialism is fueling harassment and threats against election workers like Julie.

It has gotten so bad Washington State passed legislation that would make it a felony to
harass election workers.

WISE: It's exhausting for one and it also, I think, feels, frankly, like there is a war on elections
happening amongst the people right here in the United States.

1
TEMPLE-RASTON: Voting skepticism is everywhere too. And that has been going on for a few
years now.

DONALD TRUMP: We have a company that’s very suspect. Its name is Dominion. With a turn
of a dial or the change of a chip, you can press a button for Trump and the vote goes to
Biden.

TEMPLE-RASTON: This is not true by the way.

TRUMP: We have to go to paper. Maybe it takes longer, but the only secure system is paper.

TEMPLE-RASTON: Um, Dominion actually uses paper ballots. But convincing people
otherwise clearly isn’t working.

REPUBLICAN CANDIDATE: Donald Trump WON.

MARJORIE TAYLOR GREENE: I know for a fact there was so much wrong…
REPUBLICAN CANDIDATE: If we don’t call the Democrat machines out on this fraud, then in
future elections, they know they can get away with it.

TEMPLE-RASTON: But even before Trump, Ben Adida saw that this lack of trust coming. And
he thought it was going to cause some real problems.

BEN ADIDA: I'm Ben Adida, I'm the Executive Director of Voting Works.

TEMPLE-RASTON: (Laughs) Okay I thought there was going to be more after that.

ADIDA: (Laughs) I dunno how much I have a tendency to say too much. So I'm, How much do
you want me to say?

TEMPLE-RASTON: Ben is part election geek, part computer scientist. And he’s spent most of
his adult life studying election security.

ADIDA: So I didn't come into it thinking 2020 would be such a traumatic experience for the
country. But I did have a feeling that in general, we needed to do more for trust in election
equipment.

2
TEMPLE-RASTON: And he’s come to the conclusion that just throwing more facts at people
who have already decided something’s shady isn’t working. Maybe what you have to provide
instead is transparency — so people can see for themselves.

In France, they have a translucent ballot box.

ADIDA: Your vote is in an envelope, and then everybody can see you dropping the envelope
into the clear glass box so there's kind of this public observation of a process.

TEMPLE-RASTON: What if there was a sup-ed up version of that? Ben says if voting in the
U.S. had that kind of total visibility, election conspiracies might lose a little of the oxygen
they need to breathe.

(THEME MUSIC)

TEMPLE-RASTON: I’m Dina Temple-Raston, and this is Click Here, a podcast about all things
cyber and intelligence. Today, one man’s quest to restore public confidence in the ballot box.

He’s helping create a voting system with a kind of high-tech transparency that will
completely change, literally, what we know about elections.

ADIDA: I just wasn't proud of what this industry was producing. And I thought that we could
do better.

TEMPLE-RASTON: Stay with us.

[BREAK]

TEMPLE-RASTON: To understand where Ben is coming from, you have to start with the
landscape of the American voting industry. There are only three major voting machine
manufacturers in the country now: Dominion, Election Systems & Software (or ES&S) and
Hart InterCivic.

They’re all private companies. They all use their own proprietary source code. And they all
do what private companies do: they keep their cards pretty close to the vest. Nothing wrong

3
with that. But, in the current partisan environment, that alone has been enough to arouse
suspicion.

ADIDA: And I decided that we needed to change the incentives that vendors have in this
space.

(MUSIC)

TEMPLE-RASTON: VotingWorks, which Ben co-founded in 2018, has gone a different route.
Just like those traditional companies, it makes voting machines. But it’s a non-profit, which
means its finances and funding are an open book.

ADIDA: And I thought that by going about it the non-profit way, we could hold ourselves to a
particularly high bar.

TEMPLE-RASTON: And second: Instead of proprietary election software, Voting Works’ voting
machines run on software everyone can see: open source software — sode that is
transparent by design.

ADIAS: I'm gonna try to say this in a way that's not completely self-serving. Yes, I think it's
obvious to any modern technologist that this source code should be open source. Like this is
not rocket science.

TEMPLE-RASTON: If someone is worried that a voting machine is programmed to flip a vote

to their opponent, no problem. Hire some computer geek and they can go right double
check the machine’s source code, and let everyone know what they found.

The idea of building trust through publicly accessible code isn’t new. Some of your favorite
browser and programming languages are open source code: Firefox, Python, and Linux, just
to name three.

Your Android phone? It runs on Linux. And the idea behind open source is two-fold: first it is
meant to be collaborative. This is code that anyone can view, anyone can ask to modify and
anyone can share. All that scrutiny has something else built-in: It is incredibly secure
because anyone who wants to can check your work.

ADIDA: You get this complete transparency into how the system was built, but you get just
as much — if not more — scrutiny over which parts actually make it into the final product.

4
TEMPLE-RASTON: Ben says the mere fact that people who know what they are doing could
be watching makes a difference in the way people behave.

ADIDA: Imagine baking a cake with expert bakers watching every step you take.

TEMPLE-RASTON: Open Source is the coding version of the Great British Bake Off.

(GREAT BRITISH BAKING SHOW MUSIC)

ADIDA: You're gonna be particularly careful about how you bake that cake. Let me make
sure I measure my ingredients right. Let make sure I take the time to beat the eggs
properly, like, et cetera, et cetera, et cetera.

TEMPLE-RASTON: If someone takes a shortcut…

BAKE OFF: Bakers, you have one minute left….

ADIDA: Someone's going to see that, right? The expert baker is watching us all the time,
and so it's not just a question of transparency that's really important. It's also kind of a way
to hold ourselves accountable.

TEMPLE-RASTON: So that in the end…

BAKE OFF: It really is a very, very good cake.

(MUSIC ENDS)

TEMPLE-RASTON: What that means in the context of the elections is that, just like a
contestant on British Bake Off, the voting machine code is on full display. And if you think
you spot an error…

ADIDA: Throw your experts at the source code, and if they have any complaints, you have
my email address. I want to hear.

TEMPLE-RASTON: In other words, the opposite of the way the election industry does it today.

TEMPLE-RASTON: And so, so your motivation was less to address what we're now dealing
with, which is people don't trust elections and more to fix what seemed to you to be a
broken industry?

5
ADIDA: I think those two are tightly connected.

TEMPLE-RASTON: So that’s the first part of Ben’s mission — to make all the code that tracks
and records the vote completely visible to anyone who wants to see it. Outsiders won’t know
how you voted, just that you did. The second part has to do with making an election feel the
same way it always has.

ADIDA: You want users of the system to look at it and go, Oh yeah, this is a paper-based voting
system, just like the one we used last year looks good. Oh, it's a little faster. Oh, it's a little sleek. Oh,
wow. It's a lot simpler to use.

TEMPLE-RASTON: He’s set out to build a new voting system that’s not only 100 percent
transparent, but also comfortably familiar.

ADIDA: It has to look like and feel like a voting system they already understand. If you come
up with some whizbang high tech feature that looks different, feels different, you’re making
people uncomfortable.

TEMPLE-RASTON: So Ben’s machines allow voters to mark ballots by hand or by

touchscreen. And they cast voter-verifiable paper ballots followed by that sticker that reads
“I Voted.” This is classic voting.

Now, VotingWorks isn’t the only group that has twigged onto the importance of
transparency. Microsoft has a program that is using fancy cryptography to tally the votes.
Lawmakers have started reaching across the aisle to see if there are ways to employ open
source software more widely.

(MUSIC)

ADIDA: It's not the only thing we need to do, but it's another significant piece of evidence.

TEMPLE-RASTON: When we come back, Ben tests his theory in the wild.

ADIDA: A real election at small scale…

TEMPLE-RASTON: Stay with us.

6
[BREAK]

TEMPLE-RASTON: Ground zero for Ben Adida’s new Voting Works machines is New
Hampshire. David Scanlan is the Secretary of State there, and he says they’ve been studying
open source software as a solution for the black box of voting machines for more than 15
years.

SCANLAN: New Hampshire Is a state that is always in election mode. Our electorate is,you
know, tuned to this, it's part of our culture, and our elections run pretty smoothly here.

TEMPLE-RASTON: Which may be why Scanlan feels comfortable trying new things, like a
Voting Works pilot. Scanlan says people in New Hampshire have made clear they wanted to
have more election transparency.

SCANLAN: There is a strong desire to see how ballot counting machines are actually
counting the ballots, and open source software really is the only way that you can do that
effectively.

TEMPLE-RASTON: So during the midterms, Voting Works machines will be deployed in three
towns: Woodstock, Ashland and Newington. Just a thousand voters in each will use the new
machines.

SCANLAN: Every voter will run their ballot through the device. At the end of the night, the
state is going to bring the ballots to Concord and in a public session do a hand count of
every single ballot and every single race on each of those ballots.

TEMPLE-RASTON: Scanlan says he believes the only thing that should be secret about
voting is who a specific individual voted for. Everything else should be transparent.

SCANLAN: We should bend over backwards to educate the voting population, help them
understand the process. The fact that there's many checks and balances in place in the
election and a person in New Hampshire can observe the process from start to finish — I
think if we focus on that, hopefully we can convince as many voters as possible that, you
know, everything that we do here is above board.

TEMPLE-RASTON: Ben said the pilot is a small test to build confidence.

7
ADIDA: A real election at a small scale so that if something goes wrong, you can address it
and it doesn't have a lot of impact. Because things can go wrong with new equipment. It
happens. But this idea that in a real world election, you're gonna compare the machine
count to the hand count, it's fantastic.

(MUSIC)

TEMPLE-RASTON: While Ben is an open source guy, some people complain about it. In spite
of the hordes of people watching over the code — and years of checking and rechecking —
vulnerabilities happen. The most infamous example of a problem in open source code is
something called log4j.

NBC LOCAL: A new cyber threat that may impact hundreds of millions of tech devices.

TEMPLE-RASTON: Without getting into the weeds of it, developers use log4j to keep a record
of activity in an application. And it was a huge deal when the vulnerability was discovered.

NBC: We’re talking about phones, cars, video games, apps, social media, websites, the list
goes on…

TEMPLE-RASTON: Right away, a lot of people said ‘See, open source is dangerous.’ But that
is misunderstanding what happened. Open source wasn’t the issue. The real reason this was
a disaster was that Log4j had been so widely used that this buggy software was showing up
everywhere.

ADIDA: There was some work that came out of the DoD afterwards to emphasize that, you
know, open source is not the cause of problems like this. It's the popularity of that library
that was the cause, right? The fact that all these systems were using this one library that
had a very, very serious bug.

TEMPLE-RASTON: Log4j aside, the trend is toward finding a role for open source software to
build confidence in elections. Alaska’s legislature is considering a bill that would make open
source software, like the kind VotingWorks uses, the basis of its voting machines. Voting
Works machines have already been tested in Mississippi, and now there’s this live pilot in
New Hampshire.

8
But the facts about what really happened in 2020 — all the litigation, all the investigations,
all the evidence that was gathered to show that President Biden won fair and square —
really don’t seem to matter.

And proof of that is the slate of candidates questioning 2020 results who are running in the
midterms, which is discouraging. Because if facts don’t matter, why would open source
software make any real difference? And Ben has conceded as much.

ADIDA: There's no silver bullet. There's no, like, here's the one mathematical proof that
everything went well.

TEMPLE-RASTON: But Ben says that every data point, everything that people can clearly see
with their own lying eyes helps nudge them away from conspiracy theories. And that’s a
start, and all he can do for now.

ADIDA: It's just a lot of overwhelming evidence. It's a lot of individual data points that taken
together become overwhelming evidence that things went well.

TEMPLE-RASTON: After that, common sense has to take over, which is what Julie Wise is
waiting for. Ahead of the midterms, she’s worried.

WISE: I've seen friends in the election industry where they're put on websites, as well as the
home address where they have children and their family at, with a bullseye or in the
crosshairs.

TEMPLE-RASTON: And in the meantime, while she waits for common sense to prevail, Julie’s
offering her staff a roster of pre-election training classes. One of the offerings: dealing with
active shooters.

This is Click Here.

(B SEGMENT MUSIC)

TEMPLE-RASTON: Open source information can cut both ways. Just ask Wikipedia, the online
encyclopedia written and maintained by volunteers. Entries on the site are based on two
things: a kind of crowd sourced fact checking and editing process and faith that people will
do the right thing. A group of British researchers figured out in some ways that faith may be
misplaced.

9
Kendra Hanna reports.

(MUSIC)

KENDRA HANNA: Back when he was in undergrad, a researcher named Carl Miller decided
to make a Wikipedia entry. And it has haunted him ever since. Not because it was
particularly insightful or got a lot of attention, but for an entirely different reason: it was
completely made up.

CARL MILLER: It was vandalism. It was a long time ago, and I introduced a fictitious figure as
the inventor of the butterfly stroke.

HANNA: That’s right, he decided to make up a guy and then attributed the invention of the
world’s hardest swimming stroke to him. Just for fun. If that wasn’t enough, his Wikipedia
entry eventually found its way into The Guardian newspaper. Carl is embarrassed about the
whole thing.

MILLER: I apologize to them all. It was ridiculous and stupid thing that I did.

HANNA: So, for a brief moment, Carl Miller found himself the purveyor in the dark art of
disinformation, which is ironic because now he fights it for a living, as the Research Director
at the Centre for the Analysis of Social Media at Demos, in the UK.

MILLER: Information is a theater of war. It's a space that war happens within, you know,
which is really what I think underlies the way in which the perpetrators of information
warfare think about it now.

HANNA: And one of the world’s most accomplished perpetrators is Russia. So when Putin
ordered the invasion of Ukraine in February, Carl couldn’t help but wonder what kind of
information warfare was going on behind the scenes.

If I was an information warfare officer, he remembers thinking, why would I bother with
Twitter or Facebook…

MILLER: …when Wikipedia was there, you know, this juicy, extremely precious piece of digital
real estate.

10
HANNA: It’d be great cover for information operations because by its very nature, it’s
collaborative. So anyone can jump in and start shifting the narrative. Carl and his fellow
researchers began looking for a specific kind of Wikipedia editor: one that used fake
identities, personas, multiple accounts.

And they started to notice some patterns in a Wikipedia page about the war. Things like:

MILLER: Casting doubt on pro-western accounts, trying to maximize the objectivity of

pro-Kremlin accounts. Kind of introducing Kremlin quotations and talking points and press
releases. Of course, it’s not really disinformation per se.

HANNA: But they were tweaks that would cast doubt on entries that might have contained a
whiff of anti-Russian sentiment. And then when Carl and his team dug into those entries…

MILLER: there were, say, two or three editors that continuously add, say, seven or eight of
the same URLs.

HANNA: Same editors, same links to state sponsored websites. All told, there was a group of
86 editors who seemed a bit sketchy, and while Carl can’t link them to Russia or any
information operation directly, it offends him that someone, somewhere is tinkering with
Wikipedia — and doing that in a kind of sinister way.

MILLER: You try not to be angry as a researcher, but when you see edits that try to minimize
the impact of alleged war crimes, you know, they, they, they stay with you.

HANNA: The editors who did all this? Wikipedia eventually banned them from the site. For
Click Here, I’m Kendra Hanna.

(HEADLINES MUSIC)

TEMPLE-RASTON: Here are some of the top cyber and intelligence stories from the past
week.

11
The White House hosted an in-person discussion this week aimed at countering
ransomware. Corporate executives and leaders from more than two dozen countries around
the world met in person to discuss the administration’s “Counter Ransomware Initiative.”
Ransomware actors have been targeting both public and private sector companies around
the world over the past year. The second largest public school district in the U.S. was
targeted a few months ago. Nearly 300,000 of its files were posted after the school district
refused to pay a ransom.
Australia’s largest health insurer recently fell victim to a cyberattack. The White House said
the gathering was an attempt to bring companies and government officials together to try
to figure out how to tackle the issue. Microsoft, Palo Alto Networks, Siemens, German
enterprise software maker SAP and cybersecurity firms Crowdstrike and Mandiant were all
in attendance.
—
The U.S. Department of Justice has charged a Ukrainian national over his alleged role in
something called Raccoon Infostealer. Twenty-six year old Mark Sokolovsky is accused of
being a key administrator of the malware that vacuums up personal information, including
email addresses, identification numbers, bank account and cryptocurrency information
Sokolovsky – who allegedly goes by the online moniker RaccoonStealer is facing conspiracy
to commit computer fraud, wire fraud, money laundering, and identity theft. If found guilty,
he could face up to 20 years in prison.
—
And finally the Federal Communications Commission approved new rules aimed at
protecting emergency and wireless alert systems from cyber threats. Operators of public
warning systems will be required to report breaches within 72 hours.The rules also require
participants to annually certify that they have a cybersecurity risk management plan in
place and have installed the most recent security updates to systems. The FCC said it tested
the emergency systems a few months ago and found that more than 5,000 devices relied
on outdated software.

(THEME MUSIC)

TEMPLE-RASTON: Click Here is a production of The Record by Recorded Future. I’m Dina
Temple-Raston, your host, writer and executive producer.

12
Sean Powers is our senior producer and marketing director, and Will Jarvis is our producer
and helps with writing. Karen Duffin and Lu Olkowski are our editors. Darren Ankrom is our
fact checker. Ben Levingston composes our theme, and Kendra Hanna is our intern.

A special thanks this week to editor Audrey Quinn.

And we want to hear from you. Please leave us a review and rating wherever you get your
podcasts, and connect with us by email: Click Here [at] Recorded Future [dot] com or on our
website at ClickHereshow [dot] com. I’m Dina Temple-Raston. We’ll be back on Tuesday.

13