I see stories about how election is rigged or that there are security vulnerabilities and lots of people don’t believe the outcome. Why don’t they just open source everything so that anyone can look at the code and be sure the votes are tallied correctly?
I don’t know that that’s the reason, but I have an intuition from having been an election judge here in Illinois.
A voting machine is a closed-circuit system that just counts votes and prints the tally. It is not connected to any network, and getting its software upgraded requires a key that only the voting machine company has, and a seal that is unique and that can only be replaced by that voting machine company.
To make it clear with an example: a judge ruled in Illinois that ballots that would be in either English or Spanish were now void, they all had to be in both language at the same time. Because that didn’t use to be the case, the election judge has to choose for each person between “English”, or “Spanish”, or both in the UI, and if they don’t choose both, the ballot is void. It’d be a trivial UI fix, and critical enough that you’d think it would be a priority. And yet the past elections still had the old UI, because updating the software on there is that hard.
So my intuition: if a CVE was found in one of the open-source solutions on there right before the election, the voting company would have to patch it, except it couldn’t realistically be done in time, so the election would be canceled until there is enough time without a CVE. Which of course doesn’t typically happen for very long. But if it’s all closed-source and the voting machine company is on the line for it, therefore that problem doesn’t exist.
security through obscurity is a terrible idea - the problem is still there, and a determined attacker will find it anyway